Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Client-built.exe

Overview

General Information

Sample name:Client-built.exe
Analysis ID:1572244
MD5:051a35afeeaefb8cd96b0fb74673fce5
SHA1:789f61f744f5db242338d2a681239e47920659d7
SHA256:e7f2b9453131a2040ff975e27915fe21f6b80953b12fe6d7309af2f6db45cb14
Tags:exeXWormuser-lontze7
Infos:

Detection

Discord Rat
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Discord Rat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Client-built.exe (PID: 6832 cmdline: "C:\Users\user\Desktop\Client-built.exe" MD5: 051A35AFEEAEFB8CD96B0FB74673FCE5)
    • WerFault.exe (PID: 1220 cmdline: C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

Threatname: Discord Rat

{"Discord Token": "MTMxNTExMzk1MTQwMjUyNDc5Mg.Gr0nG0.RZobhhDSOoVNDV4G6dfAh3s5Qo1p7HVqUhKZ3o", "Server ID": "1313949691574226985"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Client-built.exeJoeSecurity_DiscordRatYara detected Discord RatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DiscordRatYara detected Discord RatJoe Security
      Process Memory Space: Client-built.exe PID: 6832JoeSecurity_DiscordRatYara detected Discord RatJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.Client-built.exe.26500280000.0.unpackJoeSecurity_DiscordRatYara detected Discord RatJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Client-built.exeAvira: detected
          Found malware configuration
          Source: Client-built.exeMalware Configuration Extractor: Discord Rat {"Discord Token": "MTMxNTExMzk1MTQwMjUyNDc5Mg.Gr0nG0.RZobhhDSOoVNDV4G6dfAh3s5Qo1p7HVqUhKZ3o", "Server ID": "1313949691574226985"}
          Multi AV Scanner detection for submitted file
          Source: Client-built.exeReversingLabs: Detection: 65%
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.2% probability
          Machine Learning detection for sample
          Source: Client-built.exeJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: Client-built.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\System.pdb) source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdbNe source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbt] source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp, WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB= source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\Client-built.PDBP\ source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\Desktop\Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbA source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE495.tmp.dmp.3.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: GobKN9foaKmPGPS7JbnRqg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: Joe Sandbox ViewIP Address: 162.159.135.234 162.159.135.234
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: GobKN9foaKmPGPS7JbnRqg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficDNS traffic detected: DNS query: gateway.discord.gg
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 09:07:07 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zQvCRIfUa%2Fref6sxWM3WMRSg3c6mG5bBUlmHyiMCsTxo3gmI5wcap11iN8poWum2kY28iY26Kgxytm1jmYOhhGsEBpqW4JQ2Z3prMJ9%2BzpW3Oic9dH0VtTLBxUbTze6%2B28BGlg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8efc15350e0e436a-EWR
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
          Source: Client-built.exeString found in binary or memory: http://www.google.com/maps/place/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/channels/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/guilds/
          Source: Client-built.exeString found in binary or memory: https://file.io/
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.2229419737.0000026500554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
          Source: Client-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
          Source: Client-built.exeString found in binary or memory: https://geolocation-db.com/json
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.4:49730 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR