Overview

overview

10

Static

static

3

frie‮gpj.exe

windows10-2004-x64

frie‮gpj.exe

windows11-21h2-x64

10

Resubmissions

16/04/2025, 23:26

250416-3e3rls1mz3 10

16/04/2025, 20:05

250416-ytzw2syp17 10

Analysis

  • max time kernel
    461s
  • max time network
    877s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16/04/2025, 20:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    frie‮gpj.exe

  • Size

    521KB

  • MD5

    fa686ae2f0713ae1b02296047ebcc87d

  • SHA1

    c07002d6a973789c28091495fc36e7ce1f2db93d

  • SHA256

    445e8e980c9ed096e55898149a625d436686b24d870c0ed08ae81b97ed4d5866

  • SHA512

    1ccb1877fe52a399a1dc4c2ac1de8c3f56772b13cd0bec053558fc90334bd291894b49f57120f0f9388431498df91be082ae5ac7bc18db3b5abc367d521f3f51

  • SSDEEP

    12288:ZyveQB/fTHIGaPkKEYzURNAwbAg8XIAVVsaz1J/CS:ZuDXTIGaPhEYzUzA0qpdzHaS

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTM2MTg0MjQwNDY2Mjk2ODQ0Mg.GbO_ZS.7BypD_7qCEnOjM1Bcz1ic7kfHpyO7HfeBvYCVY

  • server_id

    1361842784121782312

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\frie‮gpj.exe
    "C:\Users\Admin\AppData\Local\Temp\frie‮gpj.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3512
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3860

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    Filesize

    78KB

    MD5

    f218c42ef38080b9cdeeefc930a9323e

    SHA1

    007cdb5163614a1de3fe6af210191e6ec53ae6e5

    SHA256

    7d76d3c6e37efdd8910316fccfbe5bff4cc745a192b71ed3e8aeda9517744a21

    SHA512

    fcd22e044fe66ac7881b0319ba01fb00f8cae89c5d933adbfe80ea2cd685c42ac79c06969626b2f1e0e1635291b7959c5744744f95f559d2c71f1e1df7d606cc

    Download Submit

  • memory/3860-14-0x00007FFF900F3000-0x00007FFF900F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3860-15-0x00000148F19A0000-0x00000148F19B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3860-16-0x00000148F4100000-0x00000148F42C2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3860-17-0x00007FFF900F0000-0x00007FFF90BB2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3860-18-0x00000148F5280000-0x00000148F57A8000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3860-19-0x00007FFF900F3000-0x00007FFF900F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3860-20-0x00007FFF900F0000-0x00007FFF90BB2000-memory.dmp

    Filesize

    10.8MB

    Download