discordrat | 2be905a7d4c522b942b5b3dd18e36af7987938a588c0e92b0c3bb5e9637e3e9b

Analysis

max time kernel
83s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
04/03/2024, 09:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aidens doxxing id ip lookup.exe
Size

78KB
MD5

6c48434b3a92ea41e640f1bf37d7a15b
SHA1

4a8c9cd50310ac8211e7bbf33e75c86e84fab40e
SHA256

2be905a7d4c522b942b5b3dd18e36af7987938a588c0e92b0c3bb5e9637e3e9b
SHA512

1a5f6177f50cb2cffcd31c80c4402120a8cfb99a4db5da38ef9b5cd9c1a08467839eb4689141b2711bbd0d571c0838fd6ca1041e08ecff4033351e25cfcb6ca5
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+zPIC:5Zv5PDwbjNrmAE+rIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMzg2MDU4OTk0MDY0MTgxMg.GbC5u3.58k0W8RUYeLcRE7e2Pjuw2YyCxAUXirDOeY9Vs
server_id
1213861042640388136

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3624	Aidens doxxing id ip lookup.exe

C:\Users\Admin\AppData\Local\Temp\Aidens doxxing id ip lookup.exe
"C:\Users\Admin\AppData\Local\Temp\Aidens doxxing id ip lookup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3624

Network

DNS

gateway.discord.gg

Aidens doxxing id ip lookup.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.130.234

gateway.discord.gg

IN A

162.159.135.234
DNS

8.8.8.8.in-addr.arpa

Aidens doxxing id ip lookup.exe

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

nexusrules.officeapps.live.com

Aidens doxxing id ip lookup.exe

Remote address:

8.8.8.8:53

Request

nexusrules.officeapps.live.com

IN A

Response

nexusrules.officeapps.live.com

IN CNAME

prod.nexusrules.live.com.akadns.net

prod.nexusrules.live.com.akadns.net

IN A

52.111.243.30
DNS

234.133.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.133.159.162.in-addr.arpa

IN PTR

Response
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

162.159.133.234:443

gateway.discord.gg

tls

Aidens doxxing id ip lookup.exe

1.3kB
4.5kB
10
12

8.8.8.8:53

gateway.discord.gg

dns

Aidens doxxing id ip lookup.exe

206 B
375 B
3
3

DNS Request

gateway.discord.gg

DNS Response

162.159.133.234

162.159.134.234

162.159.136.234

162.159.130.234

162.159.135.234

DNS Request

8.8.8.8.in-addr.arpa

DNS Request

nexusrules.officeapps.live.com

DNS Response

52.111.243.30
8.8.8.8:53

234.133.159.162.in-addr.arpa

dns

146 B
294 B
2
2

DNS Request

234.133.159.162.in-addr.arpa

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3624-0-0x000001755A7F0000-0x000001755A808000-memory.dmp

Filesize
96KB

Download
memory/3624-1-0x0000017574E30000-0x0000017574FF2000-memory.dmp

Filesize
1.8MB

Download
memory/3624-2-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

Filesize
10.8MB

Download
memory/3624-3-0x000001755AC80000-0x000001755AC90000-memory.dmp

Filesize
64KB

Download
memory/3624-4-0x0000017576D30000-0x0000017577258000-memory.dmp

Filesize
5.2MB

Download
memory/3624-5-0x00007FF99CFD0000-0x00007FF99DA92000-memory.dmp

Filesize
10.8MB

Download
memory/3624-6-0x000001755AC80000-0x000001755AC90000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.