Analysis

  • max time kernel
    1723s
  • max time network
    1661s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-04-2024 11:50

General

  • Target

    Client-built.exe

  • Size

    78KB

  • MD5

    68bf7623de23b9e6f681e12a67638272

  • SHA1

    e9bc5c4db1f6e6381170d1424d4d16d45154b5f1

  • SHA256

    1daf9f6c2cb45a50a0589972c4e3016689b27ef83590621501596b1c92147c57

  • SHA512

    c6c8cde39b2c31f38323d21874023787922ee5f89b158ed59961a2ba8b7344cb424084a0d2cfbc85c48d41448863539995d56aae0aefab4fb361c0ffe17ca0cc

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+HPIC:5Zv5PDwbjNrmAE+vIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTIxMzEwMzAxOTI0ODU5MDg4MQ.GpKOLN.9X6ekyHjGRhrzCn0egzIYFCZ2LNbEjPZk-QX6Q

  • server_id

    1052631250457866370

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

  • flag-us
    DNS
    gateway.discord.gg
    Client-built.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    Client-built.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    Client-built.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    Client-built.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    Client-built.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
No results found
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    Client-built.exe
    320 B
    5

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    330 B
    5

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2752-0-0x000002C7324D0000-0x000002C7324E8000-memory.dmp

    Filesize

    96KB

  • memory/2752-1-0x000002C74CB90000-0x000002C74CD52000-memory.dmp

    Filesize

    1.8MB

  • memory/2752-2-0x00007FFAD5D10000-0x00007FFAD67D2000-memory.dmp

    Filesize

    10.8MB

  • memory/2752-3-0x000002C74CAD0000-0x000002C74CAE0000-memory.dmp

    Filesize

    64KB

  • memory/2752-4-0x00007FFAD5D10000-0x00007FFAD67D2000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.