Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    94s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 15:32 UTC

General

  • Target

    InstallerV5.exe

  • Size

    78KB

  • MD5

    b61d469cf77f2dd30e1ef31acba14fc3

  • SHA1

    e1931cb1d20128df56ddfff69f84c5c1ed2975a7

  • SHA256

    574c5d147be871088a39dcf2dc54bf123f74da56ed2a44613e8e643e2d247ac0

  • SHA512

    bfee99acb08c57615d6bae9eee7bc331eecc82fee81fa09469fe7e891779cfda34860aacba77baa8c15482141169d366713ed4d6108990d4f553ac0734e256b1

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+K8PIC:5Zv5PDwbjNrmAE+KwIC

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI1Nzc5NzM0ODg0Mzg0Nzc1MQ.Gt4uVY.fwQ0zxAA0tWa6W71KN3mXkRSbFGrwOcaXRwFhU

  • server_id

    1257772717743276134

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\InstallerV5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallerV5.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3912

Network

  • flag-us
    DNS
    gateway.discord.gg
    InstallerV5.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
    Response
    gateway.discord.gg
    IN A
    162.159.136.234
    gateway.discord.gg
    IN A
    162.159.133.234
    gateway.discord.gg
    IN A
    162.159.134.234
    gateway.discord.gg
    IN A
    162.159.135.234
    gateway.discord.gg
    IN A
    162.159.130.234
  • flag-us
    GET
    https://gateway.discord.gg/?v=9&encording=json
    InstallerV5.exe
    Remote address:
    162.159.136.234:443
    Request
    GET /?v=9&encording=json HTTP/1.1
    Connection: Upgrade,Keep-Alive
    Upgrade: websocket
    Sec-WebSocket-Key: uRyzKI1ml22OdbG7cd3c9w==
    Sec-WebSocket-Version: 13
    Host: gateway.discord.gg
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Fri, 12 Jul 2024 15:32:47 GMT
    Connection: upgrade
    sec-websocket-accept: JZ7lNvll4IIDoJ+K3jGQCEvC5Vs=
    upgrade: websocket
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z9er0rwkDwhWORge0oijz4ROuaXwaXJaY89XfdstZUXwyc4zG9D6mcq1LpkRyZWRI354F2t6GrOuWu7G8I9NJV9LUulfeDTBMuVjdYd1vFoUZz%2BbwXuWoQcEptdlbJQE9brVMw%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8a2216824b1871b6-LHR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    discord.com
    InstallerV5.exe
    Remote address:
    8.8.8.8:53
    Request
    discord.com
    IN A
    Response
    discord.com
    IN A
    162.159.135.232
    discord.com
    IN A
    162.159.138.232
    discord.com
    IN A
    162.159.137.232
    discord.com
    IN A
    162.159.128.233
    discord.com
    IN A
    162.159.136.232
  • flag-us
    POST
    https://discord.com/api/v9/guilds/1257772717743276134/channels
    InstallerV5.exe
    Remote address:
    162.159.135.232:443
    Request
    POST /api/v9/guilds/1257772717743276134/channels HTTP/1.1
    authorization: Bot MTI1Nzc5NzM0ODg0Mzg0Nzc1MQ.Gt4uVY.fwQ0zxAA0tWa6W71KN3mXkRSbFGrwOcaXRwFhU
    Content-Type: application/json; charset=utf-8
    Host: discord.com
    Content-Length: 29
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 403 Forbidden
    Date: Fri, 12 Jul 2024 15:32:48 GMT
    Content-Type: application/json
    Content-Length: 49
    Connection: keep-alive
    set-cookie: __dcfduid=fe1715d6406311ef951c9e4f562a3599; Expires=Wed, 11-Jul-2029 15:32:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: be56019ae011689ff5baf218062aacf5
    x-ratelimit-limit: 2000
    x-ratelimit-remaining: 1999
    x-ratelimit-reset: 1720884768.046
    x-ratelimit-reset-after: 86400.000
    via: 1.1 google
    alt-svc: h3=":443"; ma=86400
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hVusaJAh7GPOgJZqZyJON44Jor8YoAzfxqE0mOhzPJTtF0CS8vdbfJquHFrM0fSETEcQxoDqdKhWm4XT4Zb9DnNClZYDtb%2Bn1Ha5XgLmYp0pTPj9NoYTm4esgp0V"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
    Set-Cookie: __sdcfduid=fe1715d6406311ef951c9e4f562a35996dfd10070d53c1347146f0d5d5bd50bf6592cf2eefcd903ceae23bbf1ae2c725; Expires=Wed, 11-Jul-2029 15:32:48 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
    Set-Cookie: __cfruid=24e5d3d92705ef92c37cee156496c5241a868b58-1720798368; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Set-Cookie: _cfuvid=MgXI1qPltG8nP0Cy6g_fxooPwwWNPSA4a7CtgqjFs1w-1720798368109-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 8a2216875bcf76f9-LHR
  • flag-us
    DNS
    234.136.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.136.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.135.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.135.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    107.12.20.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.12.20.2.in-addr.arpa
    IN PTR
    Response
    107.12.20.2.in-addr.arpa
    IN PTR
    a2-20-12-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 162.159.136.234:443
    https://gateway.discord.gg/?v=9&encording=json
    tls, http
    InstallerV5.exe
    2.0kB
    19.8kB
    25
    30

    HTTP Request

    GET https://gateway.discord.gg/?v=9&encording=json

    HTTP Response

    101
  • 162.159.135.232:443
    https://discord.com/api/v9/guilds/1257772717743276134/channels
    tls, http
    InstallerV5.exe
    1.1kB
    5.0kB
    10
    11

    HTTP Request

    POST https://discord.com/api/v9/guilds/1257772717743276134/channels

    HTTP Response

    403
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    InstallerV5.exe
    64 B
    144 B
    1
    1

    DNS Request

    gateway.discord.gg

    DNS Response

    162.159.136.234
    162.159.133.234
    162.159.134.234
    162.159.135.234
    162.159.130.234

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    discord.com
    dns
    InstallerV5.exe
    57 B
    137 B
    1
    1

    DNS Request

    discord.com

    DNS Response

    162.159.135.232
    162.159.138.232
    162.159.137.232
    162.159.128.233
    162.159.136.232

  • 8.8.8.8:53
    234.136.159.162.in-addr.arpa
    dns
    74 B
    136 B
    1
    1

    DNS Request

    234.136.159.162.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    232.135.159.162.in-addr.arpa
    dns
    74 B
    136 B
    1
    1

    DNS Request

    232.135.159.162.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    107.12.20.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    107.12.20.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3912-1-0x000002655CE20000-0x000002655CE38000-memory.dmp

    Filesize

    96KB

  • memory/3912-0-0x00007FFF22B93000-0x00007FFF22B95000-memory.dmp

    Filesize

    8KB

  • memory/3912-2-0x0000026577500000-0x00000265776C2000-memory.dmp

    Filesize

    1.8MB

  • memory/3912-3-0x00007FFF22B90000-0x00007FFF23651000-memory.dmp

    Filesize

    10.8MB

  • memory/3912-4-0x0000026577E40000-0x0000026578368000-memory.dmp

    Filesize

    5.2MB

  • memory/3912-5-0x00007FFF22B90000-0x00007FFF23651000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.