Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
17/08/2024, 12:35 UTC
Behavioral task
behavioral1
Sample
Release/Discord rat.exe
Resource
win10-20240611-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
builder.exe
Resource
win10-20240404-en
1 signatures
150 seconds
Behavioral task
behavioral3
Sample
dnlib.dll
Resource
win10-20240404-en
0 signatures
150 seconds
General
-
Target
Release/Discord rat.exe
-
Size
79KB
-
MD5
d13905e018eb965ded2e28ba0ab257b5
-
SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858
-
SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec
-
SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb
-
SSDEEP
1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU
Score
10/10
Malware Config
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1848 Discord rat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4200
Network
-
Remote address:8.8.8.8:53Requestgateway.discord.ggIN AResponsegateway.discord.ggIN A162.159.130.234gateway.discord.ggIN A162.159.135.234gateway.discord.ggIN A162.159.133.234gateway.discord.ggIN A162.159.134.234gateway.discord.ggIN A162.159.136.234
-
Remote address:8.8.8.8:53Requestgateway.discord.ggIN A
-
Remote address:162.159.130.234:443RequestGET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: 6rCqofVCurTWap14Yfz+Dw==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg
ResponseHTTP/1.1 101 Switching Protocols
Connection: upgrade
sec-websocket-accept: /KaAl+0RkO91DXvbne73cewV3d4=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mFUNXwAR5%2FXc76%2FuD0WxK6s9lq5KUtFXjVwYcIx2YZLDQ8qX22BkQPkDZMPs%2FjC3%2FlKriPl0LRUkgZEjolzDijA3sB3SksheZJRBr4qgDv%2BO35sCQv0XQ%2BIgrV5%2BQJpd3HoGtw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8b49b4d99a584188-LHR
-
Remote address:8.8.8.8:53Request234.130.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request30.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request25.73.42.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
1.8kB 4.4kB 15 14
HTTP Request
GET https://gateway.discord.gg/?v=9&encording=jsonHTTP Response
101
-
128 B 144 B 2 1
DNS Request
gateway.discord.gg
DNS Request
gateway.discord.gg
DNS Response
162.159.130.234162.159.135.234162.159.133.234162.159.134.234162.159.136.234
-
74 B 136 B 1 1
DNS Request
234.130.159.162.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
30.243.111.52.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
25.73.42.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa