Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Client-built.exe

Overview

General Information

Sample name:Client-built.exe
Analysis ID:1572244
MD5:051a35afeeaefb8cd96b0fb74673fce5
SHA1:789f61f744f5db242338d2a681239e47920659d7
SHA256:e7f2b9453131a2040ff975e27915fe21f6b80953b12fe6d7309af2f6db45cb14
Tags:exeXWormuser-lontze7
Infos:

Detection

Discord Rat
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Discord Rat
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to disable the Task Manager (.Net Source)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Client-built.exe (PID: 6832 cmdline: "C:\Users\user\Desktop\Client-built.exe" MD5: 051A35AFEEAEFB8CD96B0FB74673FCE5)
    • WerFault.exe (PID: 1220 cmdline: C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

Threatname: Discord Rat

{"Discord Token": "MTMxNTExMzk1MTQwMjUyNDc5Mg.Gr0nG0.RZobhhDSOoVNDV4G6dfAh3s5Qo1p7HVqUhKZ3o", "Server ID": "1313949691574226985"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Client-built.exeJoeSecurity_DiscordRatYara detected Discord RatJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_DiscordRatYara detected Discord RatJoe Security
      Process Memory Space: Client-built.exe PID: 6832JoeSecurity_DiscordRatYara detected Discord RatJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.Client-built.exe.26500280000.0.unpackJoeSecurity_DiscordRatYara detected Discord RatJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: Client-built.exeAvira: detected
          Found malware configuration
          Source: Client-built.exeMalware Configuration Extractor: Discord Rat {"Discord Token": "MTMxNTExMzk1MTQwMjUyNDc5Mg.Gr0nG0.RZobhhDSOoVNDV4G6dfAh3s5Qo1p7HVqUhKZ3o", "Server ID": "1313949691574226985"}
          Multi AV Scanner detection for submitted file
          Source: Client-built.exeReversingLabs: Detection: 65%
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.2% probability
          Machine Learning detection for sample
          Source: Client-built.exeJoe Sandbox ML: detected
          Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: Client-built.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\System.pdb) source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdbNe source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbt] source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp, WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB= source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\Client-built.PDBP\ source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\Desktop\Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbA source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE495.tmp.dmp.3.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: GobKN9foaKmPGPS7JbnRqg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: Joe Sandbox ViewIP Address: 162.159.135.234 162.159.135.234
          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /?v=9&encording=json HTTP/1.1Connection: Upgrade,Keep-AliveUpgrade: websocketSec-WebSocket-Key: GobKN9foaKmPGPS7JbnRqg==Sec-WebSocket-Version: 13Host: gateway.discord.gg
          Source: global trafficDNS traffic detected: DNS query: gateway.discord.gg
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 Dec 2024 09:07:07 GMTContent-Length: 0Connection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zQvCRIfUa%2Fref6sxWM3WMRSg3c6mG5bBUlmHyiMCsTxo3gmI5wcap11iN8poWum2kY28iY26Kgxytm1jmYOhhGsEBpqW4JQ2Z3prMJ9%2BzpW3Oic9dH0VtTLBxUbTze6%2B28BGlg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffServer: cloudflareCF-RAY: 8efc15350e0e436a-EWR
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502165000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
          Source: Client-built.exeString found in binary or memory: http://www.google.com/maps/place/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/channels/
          Source: Client-built.exeString found in binary or memory: https://discord.com/api/v9/guilds/
          Source: Client-built.exeString found in binary or memory: https://file.io/
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg
          Source: Client-built.exe, 00000000.00000002.2229419737.0000026500554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=json
          Source: Client-built.exe, 00000000.00000002.2229817612.0000026502149000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg/?v=9&encording=jsonX
          Source: Client-built.exe, 00000000.00000002.2229817612.00000265020B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gateway.discord.gg:443/?v=9&encording=json
          Source: Client-built.exeString found in binary or memory: https://geolocation-db.com/json
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/PasswordSte
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Token%20gra
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/Webcam.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/rootkit.dll
          Source: Client-built.exeString found in binary or memory: https://raw.githubusercontent.com/moom825/Discord-RAT-2.0/master/Discord%20rat/Resources/unrootkit.d
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownHTTPS traffic detected: 162.159.135.234:443 -> 192.168.2.4:49730 version: TLS 1.2

          E-Banking Fraud

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B13FB0_2_00007FFD9B8B13FB
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B133C0_2_00007FFD9B8B133C
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B13D30_2_00007FFD9B8B13D3
          Source: C:\Users\user\Desktop\Client-built.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300
          Source: Client-built.exeStatic PE information: No import functions for PE file found
          Source: Client-built.exe, 00000000.00000000.1672809600.0000026500296000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Client-built.exe
          Source: Client-built.exeBinary or memory string: OriginalFilenameDiscord rat.exe8 vs Client-built.exe
          Source: classification engineClassification label: mal88.troj.evad.winEXE@2/5@1/1
          Source: C:\Users\user\Desktop\Client-built.exeMutant created: NULL
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6832
          Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\023fc88e-e11d-41a7-b262-3baa0d384546Jump to behavior
          Source: Client-built.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Client-built.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
          Source: C:\Users\user\Desktop\Client-built.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Client-built.exeReversingLabs: Detection: 65%
          Source: C:\Users\user\Desktop\Client-built.exeFile read: C:\Users\user\Desktop\Client-built.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Client-built.exe "C:\Users\user\Desktop\Client-built.exe"
          Source: C:\Users\user\Desktop\Client-built.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6832 -s 2300
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: websocket.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Client-built.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Client-built.exeStatic PE information: Image base 0x140000000 > 0x60000000
          Source: Client-built.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: System.Xml.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\System.pdb) source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr
          Source: Binary string: b77a5c561934e089\mscorlib.pdbNe source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbp source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbn source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbt] source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Web.Extensions.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp, WERE495.tmp.dmp.3.dr
          Source: Binary string: C:\Users\user\Desktop\Client-built.PDB= source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Users\user\Desktop\Client-built.PDBP\ source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: pC:\Users\user\Desktop\Client-built.PDB` source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbR source: Client-built.exe, 00000000.00000002.2230209676.000002651A830000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbA source: Client-built.exe, 00000000.00000002.2230209676.000002651A87C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE495.tmp.dmp.3.dr
          Source: Binary string: indoC:\Windows\mscorlib.pdb source: Client-built.exe, 00000000.00000002.2229028597.00000093163F1000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Client-built.exe, 00000000.00000002.2230209676.000002651A8C4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdb source: WERE495.tmp.dmp.3.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERE495.tmp.dmp.3.dr

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Client-built.exe, Program.cs.Net Code: LoadDll System.Reflection.Assembly.Load(byte[])
          Source: Client-built.exe, Program.cs.Net Code: password
          Source: Client-built.exe, Program.cs.Net Code: webcampic
          Source: Client-built.exe, Program.cs.Net Code: select_cam
          Source: Client-built.exe, Program.cs.Net Code: get_cams
          Source: Client-built.exe, Program.cs.Net Code: get_tokens
          Source: Client-built.exeStatic PE information: 0xD6D709DC [Mon Mar 20 18:56:28 2084 UTC]
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B3FFD push ebx; retf 000Bh0_2_00007FFD9B8B3FCA
          Source: C:\Users\user\Desktop\Client-built.exeCode function: 0_2_00007FFD9B8B3F9D push ebx; retf 000Bh0_2_00007FFD9B8B3FCA
          Source: C:\Users\user\Desktop\Client-built.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 265004C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: 2651A0B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exe TID: 3320Thread sleep count: 328 > 30Jump to behavior
          Source: C:\Users\user\Desktop\Client-built.exe TID: 3320Thread sleep count: 166 > 30Jump to behavior
          Source: Amcache.hve.3.drBinary or memory string: VMware
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.3.drBinary or memory string: vmci.sys
          Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.3.drBinary or memory string: VMware20,1
          Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Client-built.exe, 00000000.00000002.2229419737.0000026500554000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\\
          Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Users\user\Desktop\Client-built.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Users\user\Desktop\Client-built.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Client-built.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Contains functionality to disable the Task Manager (.Net Source)
          Source: Client-built.exe, Program.cs.Net Code: DisableTaskManager
          Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe

          Stealing of Sensitive Information

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Discord Rat
          Source: Yara matchFile source: Client-built.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.Client-built.exe.26500280000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1672809600.0000026500282000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Client-built.exe PID: 6832, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          Process Injection          		3
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		11
          Disable or Modify Tools          		LSASS Memory21
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media3
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Process Injection          		Security Account Manager3
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive3
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Obfuscated Files or Information          		NTDS12
          System Information Discovery          		Distributed Component Object ModelInput Capture4
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Software Packing          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Timestomp          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.