Edit tour

Windows Analysis Report
Discordd.exe

Overview

General Information

Sample name:	Discordd.exe
Analysis ID:	1575598
MD5:	17bbb12504a20c0c2544c8dac52ed0a1
SHA1:	ff9c5d849ee5817d47e1339b7a7c266119352d45
SHA256:	1b9e97ba99aed432ccc47149bc929f9ad64a16241ac168017205312075600a52
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Connects to many ports of the same IP (likely port scanning)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Discordd.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\Discordd.exe" MD5: 17BBB12504A20C0C2544C8DAC52ED0A1)

cmd.exe (PID: 5220 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1528 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 4472 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7172 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

Discord.exe (PID: 7248 cmdline: "C:\Users\user\AppData\Roaming\Discord.exe" MD5: 17BBB12504A20C0C2544C8DAC52ED0A1)

Discord.exe (PID: 7220 cmdline: C:\Users\user\AppData\Roaming\Discord.exe MD5: 17BBB12504A20C0C2544C8DAC52ED0A1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "18.ip.gl.ply.gg", "Ports": "6606,7707,8808,9028", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "Discord.exe", "Install_File": "ZXd6VndvMUVDRmV4bHgzcHJMcWR6UWdUeUtUNWtuMEQ="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Discordd.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Discordd.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Discordd.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa293:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6e95:$a3: get_ActivatePong 0xa4ab:$a4: vmware 0xa323:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7ccf:$a6: get_SslClient
Discordd.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa325:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Discord.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\Discord.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\Discord.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa293:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6e95:$a3: get_ActivatePong 0xa4ab:$a4: vmware 0xa323:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7ccf:$a6: get_SslClient
C:\Users\user\AppData\Roaming\Discord.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa325:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.2577392722.000000000306C000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x14fa6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xafa7:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xc34c:$a2: Stub.exe 0xc3dc:$a2: Stub.exe 0x7ba9:$a3: get_ActivatePong 0xb1bf:$a4: vmware 0xb037:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x89e3:$a6: get_SslClient
00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb039:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.1374889421.00000000023B1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x1ff66:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa093:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xc238:$a2: Stub.exe 0xc2c8:$a2: Stub.exe 0x6c95:$a3: get_ActivatePong 0xa2ab:$a4: vmware 0xa123:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7acf:$a6: get_SslClient
00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa125:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: Discordd.exe PID: 6920	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Discordd.exe PID: 6920	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xf7c5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x20cf2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x371e5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: Discord.exe PID: 7220	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x387a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.Discordd.exe.10000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.0.Discordd.exe.10000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.Discordd.exe.10000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa293:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6e95:$a3: get_ActivatePong 0xa4ab:$a4: vmware 0xa323:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7ccf:$a6: get_SslClient
2.0.Discordd.exe.10000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa325:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
2.2.Discordd.exe.24fbd14.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.2.Discordd.exe.24fbd14.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x8493:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x9838:$a2: Stub.exe 0x98c8:$a2: Stub.exe 0x5095:$a3: get_ActivatePong 0x86ab:$a4: vmware 0x8523:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x5ecf:$a6: get_SslClient
2.2.Discordd.exe.24fbd14.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x8525:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
2.2.Discordd.exe.24fbd14.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2.2.Discordd.exe.24fbd14.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.Discordd.exe.24fbd14.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa293:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xb638:$a2: Stub.exe 0xb6c8:$a2: Stub.exe 0x6e95:$a3: get_ActivatePong 0xa4ab:$a4: vmware 0xa323:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x7ccf:$a6: get_SslClient
2.2.Discordd.exe.24fbd14.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa325:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Discordd.exe", ParentImage: C:\Users\user\Desktop\Discordd.exe, ParentProcessId: 6920, ParentProcessName: Discordd.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, ProcessId: 5220, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5220, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' , ProcessId: 1528, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Discordd.exe

Avira: detected

Antivirus detection for URL or domain

Source: 18.ip.gl.ply.gg

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Discord.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: Discordd.exe

Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "18.ip.gl.ply.gg", "Ports": "6606,7707,8808,9028", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "Discord.exe", "Install_File": "ZXd6VndvMUVDRmV4bHgzcHJMcWR6UWdUeUtUNWtuMEQ="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Discord.exe

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: Discordd.exe	Virustotal: Detection: 73%			Perma Link
Source: Discordd.exe	ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Discord.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Discordd.exe

Joe Sandbox ML: detected

Source: Discordd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Discordd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 18.ip.gl.ply.gg

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.18 ports 9028,0,2,8808,8,9,7707,6606

Yara detected Generic Downloader

Source: Yara match	File source: Discordd.exe, type: SAMPLE
Source: Yara match	File source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.7:49715 -> 147.185.221.18:9028

Source: Joe Sandbox View

IP Address: 147.185.221.18 147.185.221.18

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 18.ip.gl.ply.gg

Source: Discordd.exe, 00000002.00000002.1374889421.00000000024E7000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: Discordd.exe, type: SAMPLE
Source: Yara match	File source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discordd.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: Discordd.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: Discordd.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.2577392722.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000002.1374889421.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Discordd.exe PID: 6920, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Discord.exe PID: 7220, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: Discordd.exe, 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs Discordd.exe
Source: Discordd.exe, 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs Discordd.exe
Source: Discordd.exe	Binary or memory string: OriginalFilenameStub.exe" vs Discordd.exe

Source: Discordd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Discordd.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: Discordd.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.2577392722.000000000306C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000002.1374889421.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Discordd.exe PID: 6920, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Discord.exe PID: 7220, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: Discordd.exe, EIZBVsWqABSiXu.cs	Base64 encoded string: 'Lp+t9jqQg8mxA+ujUfJQzmSlL8I1jsvbdNwJ/rCoYKHziWLKo2xZDCl0nydlBzBgpgbdAEwAyDsWC4vyT2CfgO17v0zf3UjC9UPVTPpOurk=', '/KDz9CuD0eYRTmHG7wbZCuuxt1VSz5KiKBCq+pHt1mToQhstBl4OuDid9tZDc5GqmiuKHJBqmvHiKPqZjHaCmA==', 'n1B1O4T5EIoi2fONT81CNRqEgjeSK/loNkUerSmphve1czVwWFZ7TG1jdwD88mg1ate1MO4DwWtIpvKmsOvbxg==', 'Ubo3dvRvcXm5CuVO1HFYzm8YQwKCLf4836rdxMLOVvntv9XO4F3XZL15daoVcuNBgqZIIIUUgqvSbfb9UtE7FyxPDFdthUErhb08x2uwD10dYeelqEzzguTYO6n5QH4TyDyJyVnBrG5pqkEaM9/25U0h3ZRVoT5Pw+z83yA7GkbVhLtK9CR+7lv+XQMGHr6WsXyGXTpnApuUlNC0HHKzEkZ7pNIHAWtfZFMd7lWLX7dzmDiNVl+6fK83oxI5rrLJvL8wN9oESiBeprodBNiTkPTxGy63KNOlUulFqvCS95gv5ZBFXBEy5hyjwYM/nr9q4lT7ELBmAd5XUcM9nvgeYzc1B24ExC+ALIh5sEuFet2kLk6qw/Z5cmXx/izQM4gAAhMbnU3Kcc/4oDSA1XDNganq6pE6RxznIuKlT7u5lbF9wbLhf66xiOqUTVYsJWBTOpwWk9hCqjdYJ6ZwTwjd3FPjjblfUiwtCHchzhdonOgLGhiRTSa78UAjttNywa+YRa6pRc0NroxqYtQ8A8kX7VaNUsaLFoi3gSGQNBVZbbMp7yLIgxgKghlU0GS9+osy+DmNzleuYK/YbHuKB3jdpWFO3flMVDBsbGgRedxelUlbBvP2rCxwosbyulp7Fmcjsd2cabdS8UpXTcRHS1ygfJj7diVQE7CptlJ8a/RAch86mxUI1YqJVZhAuvX7yk/uPRxYCgIBoz79B9ddrEdCc954IwoQnzZFPD2n564ESX/RZIVjvCBFmEbkYv/4UpcBXpfkPOraYaHPqMmyJk7RNkAvhs0MBgbY0vLk5AKvWt6hE2LZU7r7txBii5VHUKt5ZwEWJ4WQzBExeftXiBTx0l4GMO5eNnfiqWT/iIRwzJ6gnTC5pfrqCAY0aotFo8pAhYYvKM1+8tx1906gcMD0Z9h5JrDpOq41T1tcy7yJH/MGM3uzOkqingDrS91YEMMGyUJGRlIACy/OH8VrOnMvjw==', 'wA8UwiSQ/QHiX6VMjSXmTNm4iFOTehARjhZoG+L2FEdRWyJKISXKuI3S0sbwlCnEm1t38uMbT/aT6YuE9WTJhA==', 'oDgKNvr3p8PjVOQnL3sm89ZVmlAqpaonSJB8D4bSzJx2ogSw9pwbW/6UM4tIXyYAHKp9y1UUXWTt0AtspnV1TQ==', 'Lekp8q7V/ka1XVoKg8AfFG24tc77xD28ALOtNFjWYZSHG4gDnnUCghS6xTXJCH+O0KjDQcR7uCitkrOFMm4N6A=='
Source: Discord.exe.2.dr, EIZBVsWqABSiXu.cs	Base64 encoded string: 'Lp+t9jqQg8mxA+ujUfJQzmSlL8I1jsvbdNwJ/rCoYKHziWLKo2xZDCl0nydlBzBgpgbdAEwAyDsWC4vyT2CfgO17v0zf3UjC9UPVTPpOurk=', '/KDz9CuD0eYRTmHG7wbZCuuxt1VSz5KiKBCq+pHt1mToQhstBl4OuDid9tZDc5GqmiuKHJBqmvHiKPqZjHaCmA==', 'n1B1O4T5EIoi2fONT81CNRqEgjeSK/loNkUerSmphve1czVwWFZ7TG1jdwD88mg1ate1MO4DwWtIpvKmsOvbxg==', 'Ubo3dvRvcXm5CuVO1HFYzm8YQwKCLf4836rdxMLOVvntv9XO4F3XZL15daoVcuNBgqZIIIUUgqvSbfb9UtE7FyxPDFdthUErhb08x2uwD10dYeelqEzzguTYO6n5QH4TyDyJyVnBrG5pqkEaM9/25U0h3ZRVoT5Pw+z83yA7GkbVhLtK9CR+7lv+XQMGHr6WsXyGXTpnApuUlNC0HHKzEkZ7pNIHAWtfZFMd7lWLX7dzmDiNVl+6fK83oxI5rrLJvL8wN9oESiBeprodBNiTkPTxGy63KNOlUulFqvCS95gv5ZBFXBEy5hyjwYM/nr9q4lT7ELBmAd5XUcM9nvgeYzc1B24ExC+ALIh5sEuFet2kLk6qw/Z5cmXx/izQM4gAAhMbnU3Kcc/4oDSA1XDNganq6pE6RxznIuKlT7u5lbF9wbLhf66xiOqUTVYsJWBTOpwWk9hCqjdYJ6ZwTwjd3FPjjblfUiwtCHchzhdonOgLGhiRTSa78UAjttNywa+YRa6pRc0NroxqYtQ8A8kX7VaNUsaLFoi3gSGQNBVZbbMp7yLIgxgKghlU0GS9+osy+DmNzleuYK/YbHuKB3jdpWFO3flMVDBsbGgRedxelUlbBvP2rCxwosbyulp7Fmcjsd2cabdS8UpXTcRHS1ygfJj7diVQE7CptlJ8a/RAch86mxUI1YqJVZhAuvX7yk/uPRxYCgIBoz79B9ddrEdCc954IwoQnzZFPD2n564ESX/RZIVjvCBFmEbkYv/4UpcBXpfkPOraYaHPqMmyJk7RNkAvhs0MBgbY0vLk5AKvWt6hE2LZU7r7txBii5VHUKt5ZwEWJ4WQzBExeftXiBTx0l4GMO5eNnfiqWT/iIRwzJ6gnTC5pfrqCAY0aotFo8pAhYYvKM1+8tx1906gcMD0Z9h5JrDpOq41T1tcy7yJH/MGM3uzOkqingDrS91YEMMGyUJGRlIACy/OH8VrOnMvjw==', 'wA8UwiSQ/QHiX6VMjSXmTNm4iFOTehARjhZoG+L2FEdRWyJKISXKuI3S0sbwlCnEm1t38uMbT/aT6YuE9WTJhA==', 'oDgKNvr3p8PjVOQnL3sm89ZVmlAqpaonSJB8D4bSzJx2ogSw9pwbW/6UM4tIXyYAHKp9y1UUXWTt0AtspnV1TQ==', 'Lekp8q7V/ka1XVoKg8AfFG24tc77xD28ALOtNFjWYZSHG4gDnnUCghS6xTXJCH+O0KjDQcR7uCitkrOFMm4N6A=='
Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, EIZBVsWqABSiXu.cs	Base64 encoded string: 'Lp+t9jqQg8mxA+ujUfJQzmSlL8I1jsvbdNwJ/rCoYKHziWLKo2xZDCl0nydlBzBgpgbdAEwAyDsWC4vyT2CfgO17v0zf3UjC9UPVTPpOurk=', '/KDz9CuD0eYRTmHG7wbZCuuxt1VSz5KiKBCq+pHt1mToQhstBl4OuDid9tZDc5GqmiuKHJBqmvHiKPqZjHaCmA==', 'n1B1O4T5EIoi2fONT81CNRqEgjeSK/loNkUerSmphve1czVwWFZ7TG1jdwD88mg1ate1MO4DwWtIpvKmsOvbxg==', 'Ubo3dvRvcXm5CuVO1HFYzm8YQwKCLf4836rdxMLOVvntv9XO4F3XZL15daoVcuNBgqZIIIUUgqvSbfb9UtE7FyxPDFdthUErhb08x2uwD10dYeelqEzzguTYO6n5QH4TyDyJyVnBrG5pqkEaM9/25U0h3ZRVoT5Pw+z83yA7GkbVhLtK9CR+7lv+XQMGHr6WsXyGXTpnApuUlNC0HHKzEkZ7pNIHAWtfZFMd7lWLX7dzmDiNVl+6fK83oxI5rrLJvL8wN9oESiBeprodBNiTkPTxGy63KNOlUulFqvCS95gv5ZBFXBEy5hyjwYM/nr9q4lT7ELBmAd5XUcM9nvgeYzc1B24ExC+ALIh5sEuFet2kLk6qw/Z5cmXx/izQM4gAAhMbnU3Kcc/4oDSA1XDNganq6pE6RxznIuKlT7u5lbF9wbLhf66xiOqUTVYsJWBTOpwWk9hCqjdYJ6ZwTwjd3FPjjblfUiwtCHchzhdonOgLGhiRTSa78UAjttNywa+YRa6pRc0NroxqYtQ8A8kX7VaNUsaLFoi3gSGQNBVZbbMp7yLIgxgKghlU0GS9+osy+DmNzleuYK/YbHuKB3jdpWFO3flMVDBsbGgRedxelUlbBvP2rCxwosbyulp7Fmcjsd2cabdS8UpXTcRHS1ygfJj7diVQE7CptlJ8a/RAch86mxUI1YqJVZhAuvX7yk/uPRxYCgIBoz79B9ddrEdCc954IwoQnzZFPD2n564ESX/RZIVjvCBFmEbkYv/4UpcBXpfkPOraYaHPqMmyJk7RNkAvhs0MBgbY0vLk5AKvWt6hE2LZU7r7txBii5VHUKt5ZwEWJ4WQzBExeftXiBTx0l4GMO5eNnfiqWT/iIRwzJ6gnTC5pfrqCAY0aotFo8pAhYYvKM1+8tx1906gcMD0Z9h5JrDpOq41T1tcy7yJH/MGM3uzOkqingDrS91YEMMGyUJGRlIACy/OH8VrOnMvjw==', 'wA8UwiSQ/QHiX6VMjSXmTNm4iFOTehARjhZoG+L2FEdRWyJKISXKuI3S0sbwlCnEm1t38uMbT/aT6YuE9WTJhA==', 'oDgKNvr3p8PjVOQnL3sm89ZVmlAqpaonSJB8D4bSzJx2ogSw9pwbW/6UM4tIXyYAHKp9y1UUXWTt0AtspnV1TQ==', 'Lekp8q7V/ka1XVoKg8AfFG24tc77xD28ALOtNFjWYZSHG4gDnnUCghS6xTXJCH+O0KjDQcR7uCitkrOFMm4N6A=='

Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, CVBgKJnauOSbQG.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, CVBgKJnauOSbQG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Discordd.exe, CVBgKJnauOSbQG.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Discordd.exe, CVBgKJnauOSbQG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: Discord.exe.2.dr, CVBgKJnauOSbQG.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Discord.exe.2.dr, CVBgKJnauOSbQG.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/5@2/1

Source: C:\Users\user\Desktop\Discordd.exe

File created: C:\Users\user\AppData\Roaming\Discord.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Discord.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3284:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Discord.exe	Mutant created: \Sessions\1\BaseNamedObjects\kLUPkJ05yxZY

Source: C:\Users\user\Desktop\Discordd.exe

File created: C:\Users\user\AppData\Local\Temp\tmp6438.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat""

Source: Discordd.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Discordd.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Discordd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Discordd.exe	Virustotal: Detection: 73%
Source: Discordd.exe	ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\Discordd.exe

File read: C:\Users\user\Desktop\Discordd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Discordd.exe "C:\Users\user\Desktop\Discordd.exe"
Source: C:\Users\user\Desktop\Discordd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Discordd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Discord.exe C:\Users\user\AppData\Roaming\Discord.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe"
Source: C:\Users\user\Desktop\Discordd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Discordd.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Discordd.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Discordd.exe, pcecfOeVpdr.cs	High entropy of concatenated method names: 'WkFeYeLzkfoQ', 'JXHYXwXaYYXaFRWt', 'HcXYVbWwxlVJv', 'KcoTuUweWYpg', 'KKSSiyMwdvbhIlx', 'xvPOVeaNfPW', 'ThIYmHZUIvHob', 'msvlsGGsoi', 'UetXFXSlpRPPFMdl', 'XEoIgtqrVMYAq'
Source: Discord.exe.2.dr, pcecfOeVpdr.cs	High entropy of concatenated method names: 'WkFeYeLzkfoQ', 'JXHYXwXaYYXaFRWt', 'HcXYVbWwxlVJv', 'KcoTuUweWYpg', 'KKSSiyMwdvbhIlx', 'xvPOVeaNfPW', 'ThIYmHZUIvHob', 'msvlsGGsoi', 'UetXFXSlpRPPFMdl', 'XEoIgtqrVMYAq'
Source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, pcecfOeVpdr.cs	High entropy of concatenated method names: 'WkFeYeLzkfoQ', 'JXHYXwXaYYXaFRWt', 'HcXYVbWwxlVJv', 'KcoTuUweWYpg', 'KKSSiyMwdvbhIlx', 'xvPOVeaNfPW', 'ThIYmHZUIvHob', 'msvlsGGsoi', 'UetXFXSlpRPPFMdl', 'XEoIgtqrVMYAq'

Source: C:\Users\user\Desktop\Discordd.exe

File created: C:\Users\user\AppData\Roaming\Discord.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Discordd.exe, type: SAMPLE
Source: Yara match	File source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discordd.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'

Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Discordd.exe, type: SAMPLE
Source: Yara match	File source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discordd.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Discordd.exe, Discord.exe.2.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Discordd.exe	Memory allocated: 9B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Memory allocated: 23B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Memory allocated: 9E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Memory allocated: 10B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe TID: 6044	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe TID: 7268	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Discordd.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Discord.exe.2.dr	Binary or memory string: vmware
Source: Discord.exe, 00000009.00000002.2579861937.000000000552B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHq9

Source: C:\Users\user\Desktop\Discordd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe	Queries volume information: C:\Users\user\Desktop\Discordd.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Discordd.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Queries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Discord.exe	Queries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Discordd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Discordd.exe, type: SAMPLE
Source: Yara match	File source: 2.0.Discordd.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.Discordd.exe.24fbd14.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Discordd.exe PID: 6920, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Scheduled Task/Job	2 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Discordd.exe	74%	Virustotal		Browse
Discordd.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
Discordd.exe	100%	Avira	TR/Dropper.Gen
Discordd.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Discord.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Roaming\Discord.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Discord.exe	84%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat

Source	Detection	Scanner	Label	Link
18.ip.gl.ply.gg	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
18.ip.gl.ply.gg	147.185.221.18	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
18.ip.gl.ply.gg	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Discordd.exe, 00000002.00000002.1374889421.00000000024E7000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.18	18.ip.gl.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575598
Start date and time:	2024-12-16 06:22:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Discordd.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/5@2/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 44 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Discord.exe, PID 7220 because it is empty
Execution Graph export aborted for target Discord.exe, PID 7248 because it is empty
Execution Graph export aborted for target Discordd.exe, PID 6920 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:23:54	Task Scheduler	Run new task: Discord path: "C:\Users\user\AppData\Roaming\Discord.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.18	Discord2.exe	Get hash	malicious	AsyncRAT	Browse
	Discord3.exe	Get hash	malicious	AsyncRAT	Browse
	7laJ4zKd8O.exe	Get hash	malicious	XWorm	Browse
	Discord.exe	Get hash	malicious	AsyncRAT	Browse
	r8k29DBraE.exe	Get hash	malicious	XWorm	Browse
	Lr87y2w72r.exe	Get hash	malicious	XWorm	Browse
	7LwVrYH7sy.exe	Get hash	malicious	XWorm	Browse
	1c8DbXc5r0.exe	Get hash	malicious	XWorm	Browse
	6Mt223MA25.exe	Get hash	malicious	ArrowRAT	Browse
	b34J4bxnmN.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
18.ip.gl.ply.gg	Discord2.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	Discord3.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	Discord.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	Crbq30Oxg6.exe	Get hash	malicious	CyberGate	Browse	147.185.221.18
	bwPgQVKx29.exe	Get hash	malicious	Njrat	Browse	147.185.221.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	Discord2.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	Discord3.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.18
	Loader.exe	Get hash	malicious	AsyncRAT	Browse	147.185.221.20
	72OWK7wBVH.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	aZDwfEKorn.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	HdTSntLSMB.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	7laJ4zKd8O.exe	Get hash	malicious	XWorm	Browse	147.185.221.18
	file.exe	Get hash	malicious	XWorm	Browse	147.185.221.24
	testingg.exe	Get hash	malicious	Njrat	Browse	147.185.221.19
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	147.185.221.224

Process:	C:\Users\user\AppData\Roaming\Discord.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Discordd.exe.log

Download File

Process:	C:\Users\user\Desktop\Discordd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.358731107079437
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhat92n4M6:ML9E4KlKDE4KhKiKhg84j
MD5:	AE6AF1A0CB468ECBA64E2D77CB4517DB
SHA1:	09BD6366ED569ADB79274BBAB0BBF09C8244FD97
SHA-256:	3A917DCBC4952EA9A1135B379B56604B3B63198E540C653683D522445258B710
SHA-512:	E578CD0D9BF43FD1BA737B9C44B70130462CE55B4F368E2E341BB94A3A3FFA47D4A9FE714EB86926620D1B4BE9FFF4582C219DF9ACC923C765650B13C5451500
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat

Download File

Process:	C:\Users\user\Desktop\Discordd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	159
Entropy (8bit):	5.086451351412418
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5o0nacwREaKC5dodASmqRD0nacwRE2J5xAInTRI5wJa5ZPy:hWKqTtT6cNwiaZ5LSmq1cNwi23fTHok
MD5:	AA310BB49AEFA29674B0F7256F2005D3
SHA1:	75F75885FCA4592DADF77F73B1E88B8E0CC15CE6
SHA-256:	460CFA5C27B0387B144B1808F346C849A4BB87C81DAA859F0C011683B0E09653
SHA-512:	C30E26B53700F469F20534C3C44F8A057EBDB66BE3C050E6DF33A6B6326E2B5C8D63EC3113B96CED39D8BD4B0329211B3D8FF432040C886360E019321BC75EE4
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Discord.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp6438.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\Discord.exe

Download File

Process:	C:\Users\user\Desktop\Discordd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48640
Entropy (8bit):	5.561526764518178
Encrypted:	false
SSDEEP:	768:MuyJNTAoZjRWUJd9bmo2qLPqjtXVcPICdOYV8AbTkByRPZmRMBDZ0x:MuyJNTAGL2LTCdOajbQARPZmRKd0x
MD5:	17BBB12504A20C0C2544C8DAC52ED0A1
SHA1:	FF9C5D849EE5817D47E1339B7A7C266119352D45
SHA-256:	1B9E97BA99AED432CCC47149BC929F9AD64A16241AC168017205312075600A52
SHA-512:	B73CA96A3A51CEBEB520B82B25DA49785943D0AEEAB731080A224C5F0397767CE12744B8F0AB56C9395B49070246BADABD915882180592E4E79F7DC1882B7B44
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e............................~.... ........@.. ....................... ............@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........Y..8v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vrv%.p~....(o....#....s...

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.561526764518178
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Discordd.exe
File size:	48'640 bytes
MD5:	17bbb12504a20c0c2544c8dac52ed0a1
SHA1:	ff9c5d849ee5817d47e1339b7a7c266119352d45
SHA256:	1b9e97ba99aed432ccc47149bc929f9ad64a16241ac168017205312075600a52
SHA512:	b73ca96a3a51cebeb520b82b25da49785943d0aeeab731080a224c5f0397767ce12744b8f0ab56c9395b49070246badabd915882180592e4e79f7dc1882b7b44
SSDEEP:	768:MuyJNTAoZjRWUJd9bmo2qLPqjtXVcPICdOYV8AbTkByRPZmRMBDZ0x:MuyJNTAGL2LTCdOajbQARPZmRKd0x
TLSH:	BB233B003BE9812BF3BE5FB498F22245857AF6677603D64E1CC4419B1B13BC59A426FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e............................~.... ........@.. ....................... ............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40d07e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd02c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb084	0xb200	70180df1802f05c0ee2d603150c0f3b1	False	0.5417837078651685	data	5.618539752674135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x7ff	0x800	0f68ce4dd77ed0bb9c1e6b31f6995d94	False	0.41748046875	data	4.88506844918463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	4cabfef58a4e8716ddd98e1c6e729d0d	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0xe36c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 06:24:00.559779882 CET	49715	9028	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:00.680879116 CET	9028	49715	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:00.680964947 CET	49715	9028	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:00.727586031 CET	49715	9028	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:00.847382069 CET	9028	49715	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:22.577147007 CET	9028	49715	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:22.577212095 CET	49715	9028	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:27.610372066 CET	49715	9028	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:27.730051041 CET	9028	49715	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:27.870767117 CET	49785	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:27.990652084 CET	7707	49785	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:27.990837097 CET	49785	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:27.991240978 CET	49785	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:28.111016989 CET	7707	49785	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:49.890444040 CET	7707	49785	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:49.890532017 CET	49785	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:54.905805111 CET	49785	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:54.906558037 CET	49849	6606	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:55.025551081 CET	7707	49785	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:55.026232004 CET	6606	49849	147.185.221.18	192.168.2.7
Dec 16, 2024 06:24:55.026302099 CET	49849	6606	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:55.026865959 CET	49849	6606	192.168.2.7	147.185.221.18
Dec 16, 2024 06:24:55.146522045 CET	6606	49849	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:16.907491922 CET	6606	49849	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:16.907618999 CET	49849	6606	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:22.016438961 CET	49849	6606	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:22.017627954 CET	49910	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:22.136142969 CET	6606	49849	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:22.137310982 CET	7707	49910	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:22.137377024 CET	49910	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:22.180609941 CET	49910	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:22.300435066 CET	7707	49910	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:44.017354012 CET	7707	49910	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:44.017429113 CET	49910	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:49.031235933 CET	49910	7707	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:49.032428026 CET	49976	8808	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:49.151005030 CET	7707	49910	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:49.152126074 CET	8808	49976	147.185.221.18	192.168.2.7
Dec 16, 2024 06:25:49.152273893 CET	49976	8808	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:49.152769089 CET	49976	8808	192.168.2.7	147.185.221.18
Dec 16, 2024 06:25:49.272460938 CET	8808	49976	147.185.221.18	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2024 06:24:00.352237940 CET	54586	53	192.168.2.7	1.1.1.1
Dec 16, 2024 06:24:00.494195938 CET	53	54586	1.1.1.1	192.168.2.7
Dec 16, 2024 06:24:27.611036062 CET	60587	53	192.168.2.7	1.1.1.1
Dec 16, 2024 06:24:27.869945049 CET	53	60587	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 16, 2024 06:24:00.352237940 CET	192.168.2.7	1.1.1.1	0x8c39	Standard query (0)	18.ip.gl.ply.gg	A (IP address)	IN (0x0001)	false
Dec 16, 2024 06:24:27.611036062 CET	192.168.2.7	1.1.1.1	0xb134	Standard query (0)	18.ip.gl.ply.gg	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 16, 2024 06:24:00.494195938 CET	1.1.1.1	192.168.2.7	0x8c39	No error (0)	18.ip.gl.ply.gg		147.185.221.18	A (IP address)	IN (0x0001)	false
Dec 16, 2024 06:24:27.869945049 CET	1.1.1.1	192.168.2.7	0xb134	No error (0)	18.ip.gl.ply.gg		147.185.221.18	A (IP address)	IN (0x0001)	false

Target ID:	2
Start time:	00:23:46
Start date:	16/12/2024
Path:	C:\Users\user\Desktop\Discordd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Discordd.exe"
Imagebase:	0x10000
File size:	48'640 bytes
MD5 hash:	17BBB12504A20C0C2544C8DAC52ED0A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.1374889421.00000000024FB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.1374889421.00000000023B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000000.1315180363.0000000000012000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:23:51
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:23:51
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:23:51
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat""
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:23:51
Start date:	16/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:23:52
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:23:52
Start date:	16/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x8a0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:23:54
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\Discord.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Discord.exe
Imagebase:	0xd00000
File size:	48'640 bytes
MD5 hash:	17BBB12504A20C0C2544C8DAC52ED0A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.2577392722.000000000306C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	00:23:55
Start date:	16/12/2024
Path:	C:\Users\user\AppData\Roaming\Discord.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Discord.exe"
Imagebase:	0x680000
File size:	48'640 bytes
MD5 hash:	17BBB12504A20C0C2544C8DAC52ED0A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 009B0EBA Relevance: 6.4, Strings: 5, Instructions: 166COMMON

Download Yara Rule

Strings

D@b, xrefs: 009B1004
(q, xrefs: 009B1192
Teq, xrefs: 009B0EED
d^t, xrefs: 009B0F05
D@b, xrefs: 009B11A3

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID: (q$D@b$D@b$Teq$d^t
API String ID: 0-1503220645
Opcode ID: 97766157be9638c14b0c44706196ac8a07269899f2d5e9aef82689496421baa3
Instruction ID: 53cf4fda72ee57a9803d1203f7713dfc27409d433d9379ec89cc695e6517f4d7
Opcode Fuzzy Hash: 97766157be9638c14b0c44706196ac8a07269899f2d5e9aef82689496421baa3
Instruction Fuzzy Hash: 09517B31B001149FC744DF69D499B9EBBF6BF89710F2981A9E406DB3A1CA75ED01CB90

Function 009B0D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Hq, xrefs: 009B0E40
D@b, xrefs: 009B0E51

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID: D@b$Hq
API String ID: 0-2933608274
Opcode ID: 8f062842e282b34d2cc048adea935502524f80d0b1cf14f0c2e292d54d2b6806
Instruction ID: fede272791eb96121db44f39276c606fb27f3879c0b0709087942be7bb56827b
Opcode Fuzzy Hash: 8f062842e282b34d2cc048adea935502524f80d0b1cf14f0c2e292d54d2b6806
Instruction Fuzzy Hash: E941C431B042048FD715DF69D454B9EBBF6AF89310F1844AAE105DB3A1CB35DD05CBA0

Function 009B0E3F Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

Hq, xrefs: 009B0E40
D@b, xrefs: 009B0E51

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID: D@b$Hq
API String ID: 0-2933608274
Opcode ID: 66d3ec07afe1ff1d997ffba2fb041c37b9eca8f213d875f9234d76bbca7f4153
Instruction ID: 3bea16bd08794692e3772d097d510df94335f96d83b0870f71572e0fea8583dc
Opcode Fuzzy Hash: 66d3ec07afe1ff1d997ffba2fb041c37b9eca8f213d875f9234d76bbca7f4153
Instruction Fuzzy Hash: DAF0A4313087505FC355DB7DB85562E7FEB9FCB26031904AAE105CB366CD24DC0583A1

Function 009B1339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

Strings

LRq, xrefs: 009B138B

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 03f1f70c185e2f1f285a2a8a1f3d66acc6ef712f533e0e0b949232b767b0eaae
Instruction ID: 28c0f378c1888ae7ed80ff45982555d33f2edc4088217994850a7936521dbd3f
Opcode Fuzzy Hash: 03f1f70c185e2f1f285a2a8a1f3d66acc6ef712f533e0e0b949232b767b0eaae
Instruction Fuzzy Hash: C041F130B002158FCB549B7DD4A1AAE7BF6EF89320B5441A9E506DB395EE34DD028790

Function 009B1DC0 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a5a66bb404bbf2652ce8582a50ecf13e9b4fd1680e9375ecead3680e1aab75
Instruction ID: 954ea213aa157e05f972cadc9acbe5b8e5e5a470ec2405ad425162493b86d506
Opcode Fuzzy Hash: 58a5a66bb404bbf2652ce8582a50ecf13e9b4fd1680e9375ecead3680e1aab75
Instruction Fuzzy Hash: 86C119347002048FDB54EF68D598AAE77F6EF89310F254569E906EB365DB31EC42CB60

Function 009B1EAC Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205e6b7b04796e9579180887a2a9c06b26fe74f11e43444a79e87728f0ab3ee1
Instruction ID: b843acfa58764e1445ed92a9fb30eb8e70ce061c0dcb4b5bc3571ccc96a0e21f
Opcode Fuzzy Hash: 205e6b7b04796e9579180887a2a9c06b26fe74f11e43444a79e87728f0ab3ee1
Instruction Fuzzy Hash: FA611A347002048FDB54EB68D594AAE77F6EF88310F254558E906DB3A9DB71EC42CB61

Function 009B0AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50b98e2d2a4b4ca02014cc5d90e8c9efa08415c2f6cf57d185d064f3dafa357
Instruction ID: fcec1187228d8d8d75a62e88b538047437614f75b99b9c220cd21c52944d6de3
Opcode Fuzzy Hash: e50b98e2d2a4b4ca02014cc5d90e8c9efa08415c2f6cf57d185d064f3dafa357
Instruction Fuzzy Hash: D6510C38500625CFC726FF38E8C4599777BFF88325B50966AD5028B269FB31A946CF81

Function 009B11D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6fc8a521b6f09ccf872c397a487476bc2334e9f3261faf4a5f3cb9420ec976
Instruction ID: 97363b8a34d712a3f6687f1f09ae69659929ffb692d4297265aa08200a28f98b
Opcode Fuzzy Hash: 1d6fc8a521b6f09ccf872c397a487476bc2334e9f3261faf4a5f3cb9420ec976
Instruction Fuzzy Hash: 9341B270F00208AFCB44EBB9C5547AEBBFAEF89310F248569D44AD7345DA349D428B91

Function 009B1030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae0394bce344351757056d3cc1b6005bffd20ffa9cdcbc164ce7bb652ec15440
Instruction ID: 7958b546858db66fc4cb9e824af54c81c5c8b201fee6c03a5ca8d23f4f079d2d
Opcode Fuzzy Hash: ae0394bce344351757056d3cc1b6005bffd20ffa9cdcbc164ce7bb652ec15440
Instruction Fuzzy Hash: 49212E35B001189FE714EB68C665BAE7BF3FF88720F688058E505EB3A5CA719D40CB80

Function 0061D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369304097.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_61d000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88da3a764ffafa162ce27f289864b9b302c7e534ce5d262a5f254997bbaa1b2
Instruction ID: 7d0f6d6f2d6bfc4b55c247a678ccbc0e7fd5ce538677c6357188170c9154bfc0
Opcode Fuzzy Hash: a88da3a764ffafa162ce27f289864b9b302c7e534ce5d262a5f254997bbaa1b2
Instruction Fuzzy Hash: 1D21F872504240EFDB15DF14D9C0BA6BFA7FB94318F28C56DE9090B256C336D896CBA2

Function 009B09A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2dc5337e3fb27c2bf3c44fd31ba823c32914fc17dad3c72876185f529b6cf75
Instruction ID: 8ab7ac7f36d55e8016a3ac6144cc14faf6b3dfd8e522bca555b5b2baf6461104
Opcode Fuzzy Hash: c2dc5337e3fb27c2bf3c44fd31ba823c32914fc17dad3c72876185f529b6cf75
Instruction Fuzzy Hash: 2C215130600B028FDB75AF799A5C7AF7AADAF84361B14AC2D9907C1194FF30D941DB52

Function 0061D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1369304097.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_61d000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: e216e02f5e7d0ec3d9e1f8aced2ffd58c225b115ac803121248c5cca8dbc8fde
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 1D11E1B2804240DFCB16CF04D5C0B96BF72FB84324F28C6A9D9090B656C336D856CBA2

Function 009B1440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 024df7fae05cf8eab9f650d049326c9bb885bd0c00b39095e9e36b964ae11533
Instruction ID: f3e7ce01dafd25a3dbabb3845aab11fe3be1696ee8178b08f76b78a72b0079b2
Opcode Fuzzy Hash: 024df7fae05cf8eab9f650d049326c9bb885bd0c00b39095e9e36b964ae11533
Instruction Fuzzy Hash: A411C070B00204DFCB54EBB9C954A6A7BFAAF88320B544879D50ACB328EE31DC41CB90

Function 009B2195 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f4d049f7566800d09fd5b02895fcffb70d99d18019c818a306247521b8732c
Instruction ID: 7081fe4734c9c2ba10813484135dd798886f2b74dfa337f972de86e714b0e98d
Opcode Fuzzy Hash: 24f4d049f7566800d09fd5b02895fcffb70d99d18019c818a306247521b8732c
Instruction Fuzzy Hash: 00E065306087954ADB25D27C90103DE7BD29B85318F04096EC58747681CBB7A94543A3

Function 009B2210 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1372521091.00000000009B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9b0000_Discordd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5f8669205c96af3aa13238cf8896011a9929e3aeec05f9858fa78345d246f5
Instruction ID: 080073d40b2812928f7e2a22c6216ad0c84717ef53e11da9924899f09b4aa67d
Opcode Fuzzy Hash: bc5f8669205c96af3aa13238cf8896011a9929e3aeec05f9858fa78345d246f5
Instruction Fuzzy Hash: ECD0A9313401245BC700A2FDE44999E3FDAEFCAB217A800AAE006DF361CE22EE0103D8

Analysis Process: Discord.exePID: 7220, Parent PID: 932COMMON

Executed Functions

Function 02D9236F Relevance: 6.7, Strings: 5, Instructions: 447COMMON

Download Yara Rule

Strings

`p^, xrefs: 02D9297C
aq, xrefs: 02D92927
xq, xrefs: 02D929BE
,, xrefs: 02D924B8
aq, xrefs: 02D92984

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID: aq$ aq$,$xq$`p^
API String ID: 0-3628833490
Opcode ID: e81d247a84f759fcb9970b5806c5938efeac2d79e38d54ee97d29cb831b182da
Instruction ID: fdf2f948b4c5be30ae80214153b463676ac67b2a5367c193141cc41cc52dbba5
Opcode Fuzzy Hash: e81d247a84f759fcb9970b5806c5938efeac2d79e38d54ee97d29cb831b182da
Instruction Fuzzy Hash: 1A026B30A00205DFDB14AF68D898B6D77E3FB84310F248669E816AB3A5DB75DC46CB91

Function 02D925AA Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

`p^, xrefs: 02D9297C
aq, xrefs: 02D92927
xq, xrefs: 02D929BE
aq, xrefs: 02D92984

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID: aq$ aq$xq$`p^
API String ID: 0-1772152970
Opcode ID: 4a64b50b514a18742ce23e7da0871199274533dae268d5709ca558da7b3cb7ea
Instruction ID: 45f726d6b7dacf74e18db5290a6b4d32d9c7bf21029cd2ed535571f6746f7be7
Opcode Fuzzy Hash: 4a64b50b514a18742ce23e7da0871199274533dae268d5709ca558da7b3cb7ea
Instruction Fuzzy Hash: 23615A34A403059FE724AF28D844B6E76E3FB85314F148569E8069F3A1DB75DC46CB91

Function 02D90EB8 Relevance: 3.9, Strings: 3, Instructions: 157COMMON

Download Yara Rule

Strings

d^t, xrefs: 02D90F05
(q, xrefs: 02D91192
Teq, xrefs: 02D90EED

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID: (q$Teq$d^t
API String ID: 0-854792360
Opcode ID: b97d2a0eb1a78a06a005caae614e3f550420607a33b6ac91b93d6891682f1373
Instruction ID: df0e6acb8082fdb9320278a563b651b4be035bfe2d9c33207f9a6182cd0f4935
Opcode Fuzzy Hash: b97d2a0eb1a78a06a005caae614e3f550420607a33b6ac91b93d6891682f1373
Instruction Fuzzy Hash: E3516930B101158FDB54DF69D458A6EBBF6BF89700F2581A9E806EB3A5CB75DC01CB90

Function 02D91D8D Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

q, xrefs: 02D91D90

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID: q
API String ID: 0-1563958681
Opcode ID: 6e619a92f3f1d2532741f8ef28fca9fbb16ca78d6622fe301a97e8b3a7fd70ef
Instruction ID: 364dddef36a57916d7d2e57cde4493c45302b705cfe021bc795d333e74e386ce
Opcode Fuzzy Hash: 6e619a92f3f1d2532741f8ef28fca9fbb16ca78d6622fe301a97e8b3a7fd70ef
Instruction Fuzzy Hash: 44C12A34B00214CFDB54EF68D458A6D7BF2EF88310F2185A9E906AB3A5DB75DC42CB91

Function 02D90D20 Relevance: 1.4, Strings: 1, Instructions: 131COMMON

Download Yara Rule

Strings

Hq, xrefs: 02D90E40

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: aa20cef407bb2c4cdb05cab25999a7e45c1fb637a02e079924afab7febf8927b
Instruction ID: c7ff0bde4b4e585871bdb375a653ac91796980d229ea46e981e1bdc26029deb2
Opcode Fuzzy Hash: aa20cef407bb2c4cdb05cab25999a7e45c1fb637a02e079924afab7febf8927b
Instruction Fuzzy Hash: 4941A075B042048FDB19DF69D454BAEBBF6AF88300F1485AAE406DB3A1CB75DC05CB91

Function 02D91339 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

LRq, xrefs: 02D9138B

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: 41aeb09992d7cb74001061ab57e977b42257927394b61bde7ec9d86a9ffc2e4c
Instruction ID: 0d886e685f7ffae1047620f40886e3253b5ad9fbb27b708216ff4d31c7fdfb46
Opcode Fuzzy Hash: 41aeb09992d7cb74001061ab57e977b42257927394b61bde7ec9d86a9ffc2e4c
Instruction Fuzzy Hash: 91319C70B002168FDB54AB7D8451A7EBBF2BF88300B2481A9E54ADB354DF34DD02CB90

Function 02D90E3F Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

Hq, xrefs: 02D90E40

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID: Hq
API String ID: 0-1594803414
Opcode ID: 7ff8a00e863f0eac06ac7432475b7bf672d63ac2cb689229ba4540da6f5b9476
Instruction ID: 256cf43f5d3bdead0f67bd1446bb932f3335eaccf63cee7e4ccb7964ee678034
Opcode Fuzzy Hash: 7ff8a00e863f0eac06ac7432475b7bf672d63ac2cb689229ba4540da6f5b9476
Instruction Fuzzy Hash: BAF0F6717083500FD35AA77DB82452F7FE79FC925436544BAE145CB366CE24CC068391

Function 02D90AA0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d866696c1fc23743dacd9fe3f11dc3dc5436fa2ced06384a583a0ce9ecb8b7
Instruction ID: c9b0b8479eb53f9b9692183cb529410192ab0845ad2096949106491cb9503ceb
Opcode Fuzzy Hash: 44d866696c1fc23743dacd9fe3f11dc3dc5436fa2ced06384a583a0ce9ecb8b7
Instruction Fuzzy Hash: 6251E534A00201CFC719EF78E8546597763FB882457908A79D803AB268EB7D9D46CFC1

Function 02D911D0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70105d727f59e0cb74fd1f3036b7ca57212616e62aa795f6481643e7df1887c
Instruction ID: d71a4fbf63ca667cc10ccd8bd2597149a1179ed86becedcff9cdc992b5f0e1df
Opcode Fuzzy Hash: b70105d727f59e0cb74fd1f3036b7ca57212616e62aa795f6481643e7df1887c
Instruction Fuzzy Hash: 2F417171F00209AFCB54EBB9845466EBBF6FF89300F24C569E84AD7345DA349D428B91

Function 02D90D10 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19d40c7917106178661ff08eb1e449f215d36b138176e4e4b0739c9b710156fa
Instruction ID: eaaf277315668193fc34da4fe74664a5062590803839fb7decd0e5267b861195
Opcode Fuzzy Hash: 19d40c7917106178661ff08eb1e449f215d36b138176e4e4b0739c9b710156fa
Instruction Fuzzy Hash: B5317C75A002048FDB15DF69D458BAEBBF6BF48301F1485A9E402AB3A1CB75ED45CB90

Function 02D90998 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16dfa19d30b682906f53bf331314ed30f2ab60e0531460e37fd178264223233a
Instruction ID: 3a6e0eab872629704bed152e7f08938dd383fa30f61d545f8a77c8450eb001c7
Opcode Fuzzy Hash: 16dfa19d30b682906f53bf331314ed30f2ab60e0531460e37fd178264223233a
Instruction Fuzzy Hash: A6214C30A482129FEF68AB79F85432E7AA5AB043467558A79E847D2250DB74CD40CBD1

Function 02D909A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76bd1d1fb72569c15aae17d51e4b227460a5ffcc871977455cdc7d80acc7c7e
Instruction ID: dd50801f28b428dad3ea600902d5656c602f9c491ad773afaeb7db4512bf32c1
Opcode Fuzzy Hash: b76bd1d1fb72569c15aae17d51e4b227460a5ffcc871977455cdc7d80acc7c7e
Instruction Fuzzy Hash: 3D213B30A48202DFDF68AF79B91872E7AA5AF003467459939F907D2244EB74CD40CBE2

Function 02D91431 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e2f23b6ad8a1fc64628079cfd5bbbdd40e039c9b57c8b967682b37514d6fb3
Instruction ID: ea581e727663991a1009b1afa2a8fd0b78d577d5201a5ad45c1aeea693d97457
Opcode Fuzzy Hash: 21e2f23b6ad8a1fc64628079cfd5bbbdd40e039c9b57c8b967682b37514d6fb3
Instruction Fuzzy Hash: 8011ADB4A01201CFCB54EBB8D91466A7BF6EF8921075045B8E40ADB324EB39CD41DB80

Function 02D91440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152e0f3302178acfdf5336584077e367e96d248002a292021d83d839627051a1
Instruction ID: 5da132482ab4a029a599deabcb550881670f6803aaea28774828e7affaae1290
Opcode Fuzzy Hash: 152e0f3302178acfdf5336584077e367e96d248002a292021d83d839627051a1
Instruction Fuzzy Hash: 4C11A970B00205DFCB54EBB9C908A2A7BFAEF8921075445B8E80ADB314EE39DC41CB90

Function 02D922E8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdded583913148c9b007351a19670edc806f061d2de61f6217894f22247e70
Instruction ID: d06c315c7797209c41a1f83043ee8eac375b2d53b452e115ab9c54544335c7b7
Opcode Fuzzy Hash: 5ecdded583913148c9b007351a19670edc806f061d2de61f6217894f22247e70
Instruction Fuzzy Hash: BD014830A01215EFCF44EE689455BAE77A5EB05704B44416DE896A7300DB349E00CBE2

Function 02D90E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8404f8d3d3923b8dae522a690ffb5350cf24153b20c5d1a619e49c84c1678783
Instruction ID: 39b9622b5b1f6931697cb4570c74c4891c5ce25222289fa4f74ac8446b42a8a0
Opcode Fuzzy Hash: 8404f8d3d3923b8dae522a690ffb5350cf24153b20c5d1a619e49c84c1678783
Instruction Fuzzy Hash: 73E08C313002005F8348966EA89495ABBEAEBC8260355487AE509C7315CD70CC014690

Function 02D92202 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13bd8d6031485308bf0ea9c1b1ab4dfab413e72adcc754f50fa884e7d24c6ac7
Instruction ID: 149d31d2a9599a0ae9787524bc7af751e6d196ba8e6a37fb29ba87f4fc17e59f
Opcode Fuzzy Hash: 13bd8d6031485308bf0ea9c1b1ab4dfab413e72adcc754f50fa884e7d24c6ac7
Instruction Fuzzy Hash: 8FD0EC70D1420D5ACB80EEA988453AABAF5F708100F50426A980CD2301E6309A114B92

Function 02D90A8F Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b452411124eb79680d871cb9305798cf8b5195f05767e426e051b73c1a177392
Instruction ID: a8ea401159135a6913d67bae2467b80ddccd731acd066c4a14ab62ba09a31468
Opcode Fuzzy Hash: b452411124eb79680d871cb9305798cf8b5195f05767e426e051b73c1a177392
Instruction Fuzzy Hash: 9AC08C34E8C347CFEB2423B4F80C32C3D50AF40317F818A46B1824A2A28EB04C20C397

Function 02D90A73 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2577325440.0000000002D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2d90000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff5f23e4f4e2426557d7c7fe94346d0ea8d913ba7e70fd3ece23c9ef14eda79
Instruction ID: 1d49369fc65e97ada2996cbef928157096f274b75560894dc48dcbae991be119
Opcode Fuzzy Hash: cff5f23e4f4e2426557d7c7fe94346d0ea8d913ba7e70fd3ece23c9ef14eda79
Instruction Fuzzy Hash: 4BC08C30E8C38ACFEF241374F80C32C3E50AB40317F818A4AB182492A28EB04C20C797

Analysis Process: Discord.exePID: 7248, Parent PID: 4472COMMON

Executed Functions

Function 010B0EB8 Relevance: 6.4, Strings: 5, Instructions: 161COMMON

Download Yara Rule

Strings

D@, xrefs: 010B1004
D@, xrefs: 010B11A3
d^t, xrefs: 010B0F05
(q, xrefs: 010B1192
Teq, xrefs: 010B0EED

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID: (q$D@$D@$Teq$d^t
API String ID: 0-4213354011
Opcode ID: 924547cca351878c6b8a7cfa393c4dc5255f2a90419320b0e3428d8a98ebb19d
Instruction ID: d33b4a82e96730fe57a205a9520738bd0dc0492582d577e3f2e59d796f26444d
Opcode Fuzzy Hash: 924547cca351878c6b8a7cfa393c4dc5255f2a90419320b0e3428d8a98ebb19d
Instruction Fuzzy Hash: 4051C030B101049FD744DF69D499B9EBBF6FF89700F2581AAE806EB3A5CA75DC018B91

Function 010B0D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

Hq, xrefs: 010B0E40
D@, xrefs: 010B0E51

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID: D@$Hq
API String ID: 0-1550339779
Opcode ID: 116b5d26ee366173bcb21fcf94ab87241b86910902685f7df6d8bdb8f3890803
Instruction ID: e7bccc8de29ecb3605a87f27133acdec59089e12e0ec144c4c99b686a8711caa
Opcode Fuzzy Hash: 116b5d26ee366173bcb21fcf94ab87241b86910902685f7df6d8bdb8f3890803
Instruction Fuzzy Hash: 0D41E531B042048FDB15DF69D494BAEBBF6EF89300F1484AAE105EB3A6CA35DC05CB91

Function 010B0E3F Relevance: 2.5, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

Hq, xrefs: 010B0E40
D@, xrefs: 010B0E51

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID: D@$Hq
API String ID: 0-1550339779
Opcode ID: f64b58064aef1d2b1dbb2a44ad6e285a4027c9a2e31888eaa8f7cd4b545e6d26
Instruction ID: 26c918fc6bf0b68e321515a49f1d53c7a56ee72d85dc84a2d58cf29dea007fb5
Opcode Fuzzy Hash: f64b58064aef1d2b1dbb2a44ad6e285a4027c9a2e31888eaa8f7cd4b545e6d26
Instruction Fuzzy Hash: 2BF022213083401FD349AB3E681562E3FEB9BCA21032904ABE205DB3A7CD258C0A83A1

Function 010B1339 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

LRq, xrefs: 010B138B

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID: LRq
API String ID: 0-3187445251
Opcode ID: e01454feea45c7342474fd43017125dc3a4a6bf2755ebacc1e7743c52c939f5a
Instruction ID: 13bb6a1027b1431d2e3516215984d2626aa7e56e03e83341df3b65d6e03fae16
Opcode Fuzzy Hash: e01454feea45c7342474fd43017125dc3a4a6bf2755ebacc1e7743c52c939f5a
Instruction Fuzzy Hash: 8D310235F002058FCB54AB7D98A1AAE7BF6EFC5710B2481A9E546DB395EE30DD028790

Function 010B0AA0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef48e7705b380222d1c31cc0a5bd5bd798ab835f2dc56574fbcbfbedde717a5
Instruction ID: 4ad3c665a696f3323997e4fc009b52c585dd1a73f6aab61c5b9029082a1bf1ef
Opcode Fuzzy Hash: 6ef48e7705b380222d1c31cc0a5bd5bd798ab835f2dc56574fbcbfbedde717a5
Instruction Fuzzy Hash: DE51077C614205CFCB16FF38E8C49697762FBC93157508668D4099F26EEB39990ACF81

Function 010B11D0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82592eaa476618d8409782c0b8b097d30ba44055c14ea8d6d3ec89de98720f5
Instruction ID: e5f2bfdf0a4e13dbb1e8b41eb3d48993e6e27af6f2c4d2dcf8ee341aa4da4690
Opcode Fuzzy Hash: b82592eaa476618d8409782c0b8b097d30ba44055c14ea8d6d3ec89de98720f5
Instruction Fuzzy Hash: 48419570F00209AFCB44EBBDD4547AEBBFAEF85310F248569D449D7345DA349D428B91

Function 00C3D4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1443901884.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c3d000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10198ef6c41766b716e58a2323fb4d0a01c941f1251f32065f63d40eb72559f
Instruction ID: 414bf7b29e3396103ff5e60754c2232db50a5ff87016759fe91819e7f19fe1d4
Opcode Fuzzy Hash: c10198ef6c41766b716e58a2323fb4d0a01c941f1251f32065f63d40eb72559f
Instruction Fuzzy Hash: 9C2103B2914200EFDB15DF14E9C0B26BF65FB98318F20C569E90B0B256C336D956CBA2

Function 010B09A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b80ab32969a7a56875959d670e7daf473120d1f0be2d25458f23dd11ec6a411
Instruction ID: 015c683ced5555c9c9f24a7efa87521d73d4d9a22de6f8810cdb601aeb50c1ba
Opcode Fuzzy Hash: 3b80ab32969a7a56875959d670e7daf473120d1f0be2d25458f23dd11ec6a411
Instruction Fuzzy Hash: 612181357046028FEB95AF7E98943BF7AF4AF41340B048AA9B587E519DEE30C405CB51

Function 00C3D49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1443901884.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_c3d000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 311f76132309e2e24bb0cad36c62d068a3ec2aa5747d9195ca7c713e7d21aa44
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 291103B2804240DFCF16CF04E5C0B16BF72FB94324F24C5A9D90A0B656C336D95ACBA2

Function 010B1440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1444476315.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10b0000_Discord.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4334e6f182198dc42cb3255e3c91e866141575a77db7c8cbd991bf25a24239
Instruction ID: d6750f9007ff911873c4d16bf36b3b73e80ee307c89fa0272a242123b0339c46
Opcode Fuzzy Hash: 9c4334e6f182198dc42cb3255e3c91e866141575a77db7c8cbd991bf25a24239
Instruction Fuzzy Hash: 5B118B74A002059FCB54EBB9D954A6A7BE6EF892107144478D44ADB318EF35CC41CB90

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Discordd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Discord.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Discordd.exe.log

C:\Users\user\AppData\Local\Temp\tmp6438.tmp.bat

C:\Users\user\AppData\Roaming\Discord.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Discordd.exe