Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Discord rat.exe

windows10-1703-x64

10

Resubmissions

22/07/2024, 18:30 UTC

240722-w5j9ma1cpa 10

22/07/2024, 18:29 UTC

240722-w49g5a1gnl 10

22/07/2024, 18:27 UTC

240722-w3rkxs1fnj 10

Analysis

  • max time kernel
    2s
  • max time network
    4s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22/07/2024, 18:29 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Discord rat.exe

  • Size

    90KB

  • MD5

    53612001ad62ea14156092dc8efcb7d2

  • SHA1

    adf16de81fe448dd9d45d9044faab982441b8d58

  • SHA256

    b1ee141a617b02a783c721e6e505b961be32b0bfbf79959b3ffe3a4504173b11

  • SHA512

    61018750bdacb8ccf783f610b25463aa6e0a3e21b14c1d539e5e8700d2c78c243428ea579b4a19f31d17cfa5649c255a30a9e2140ff8d4d1e856fc622f0cae7e

  • SSDEEP

    1536:hbPjt72uOFmYskRPUAqtBTldwX0bpAkAfLgbGNrF+uexCxoKV6+fi83:JjtyuOFpskpgBTlukQgbGNrF+bSi8

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI2NTAxMTgwMzUyMDI0MTgyNg.Gixgjj.XDPqCHG2EZuhXeegiOPwvU_Lk4mudkLkpJ6VOU

  • server_id

    1265010770744443021

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
    "C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4988

Network

  • flag-us
    DNS
    gateway.discord.gg
    Discord rat.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
    Response
    gateway.discord.gg
    IN A
    162.159.135.234
    gateway.discord.gg
    IN A
    162.159.130.234
    gateway.discord.gg
    IN A
    162.159.133.234
    gateway.discord.gg
    IN A
    162.159.136.234
    gateway.discord.gg
    IN A
    162.159.134.234
  • flag-us
    DNS
    gateway.discord.gg
    Discord rat.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
  • flag-us
    GET
    https://gateway.discord.gg/?v=9&encording=json
    Discord rat.exe
    Remote address:
    162.159.135.234:443
    Request
    GET /?v=9&encording=json HTTP/1.1
    Connection: Upgrade,Keep-Alive
    Upgrade: websocket
    Sec-WebSocket-Key: aNHBFyd3+2bgQdnLDMwGIQ==
    Sec-WebSocket-Version: 13
    Host: gateway.discord.gg
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Mon, 22 Jul 2024 18:29:54 GMT
    Connection: upgrade
    sec-websocket-accept: nra0v1j71ObymI2ohqhBOuvLLFA=
    upgrade: websocket
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RdigbrmKmMr6Q9d%2F7Ol%2FJYvO8gcNPs%2BefKj5pFoNwv%2BVFxm4Jx81fIHqueUD%2FfoSLwvIlngHir5K7mqen9%2F32LgxA605OXKUQc%2FPkH6cxH5XOEJ5325jeXCuKACPgjvOsBgDZg%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8a757fb95edcbeb6-LHR
  • flag-us
    DNS
    234.135.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.135.159.162.in-addr.arpa
    IN PTR
    Response
  • 162.159.135.234:443
    https://gateway.discord.gg/?v=9&encording=json
    tls, http
    Discord rat.exe
    1.1kB
     4.2kB
     10
    12

    HTTP Request

    GET https://gateway.discord.gg/?v=9&encording=json

    HTTP Response

    101
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    Discord rat.exe
    128 B
     144 B
     2
    1

    DNS Request

    gateway.discord.gg

    DNS Request

    gateway.discord.gg

    DNS Response

    162.159.135.234
    162.159.130.234
    162.159.133.234
    162.159.136.234
    162.159.134.234

  • 8.8.8.8:53
    234.135.159.162.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    234.135.159.162.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4988-0-0x000002AE65CC0000-0x000002AE65CDC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4988-1-0x00007FF8F2423000-0x00007FF8F2424000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4988-2-0x000002AE00340000-0x000002AE00502000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4988-3-0x00007FF8F2420000-0x00007FF8F2E0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4988-4-0x000002AE00D10000-0x000002AE01236000-memory.dmp

    Filesize

    5.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.