Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-06-2024 14:55

General

  • Target

    bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe

  • Size

    78KB

  • MD5

    bdeb1c21b2eb3126d5376a15e2438821

  • SHA1

    7ee99a827ee71a6dc54d5e1adc1ee650f624bcab

  • SHA256

    35f586efd9b4582468ddeb877a576ae97737b7976e6f6622a2959053d35edc91

  • SHA512

    4dc3bffa35c9ae3b244f83a18b6043c9c2c6dd3b74e426bfd989662d71ca5ea1ad45839b24d9366fd390172b9bf34fce6552a866038b182b88fd2ccab888fdb8

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+2PIC:5Zv5PDwbjNrmAE+yIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI0MjgyODA0NTYzMTQ5MjE0Nw.GaK9_b.DkeSn-Pej4eo5IcrUmOmowhbH0dXKH8vZX3FZ4

  • server_id

    1242477718638170204

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe
    "C:\Users\Admin\AppData\Local\Temp\bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4824

Network

  • flag-us
    DNS
    gateway.discord.gg
    bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    gateway.discord.gg
    bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
No results found
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    bdeb1c21b2eb3126d5376a15e2438821_EXE_leonel1022 backdoor.exe
    320 B
    5

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    330 B
    5

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4824-1-0x00007FFCE2233000-0x00007FFCE2235000-memory.dmp

    Filesize

    8KB

  • memory/4824-0-0x000001193B0B0000-0x000001193B0C8000-memory.dmp

    Filesize

    96KB

  • memory/4824-2-0x0000011955700000-0x00000119558C2000-memory.dmp

    Filesize

    1.8MB

  • memory/4824-3-0x00007FFCE2230000-0x00007FFCE2CF2000-memory.dmp

    Filesize

    10.8MB

  • memory/4824-4-0x00007FFCE2230000-0x00007FFCE2CF2000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.