Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    129s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/08/2024, 12:35 UTC

General

  • Target

    Release/Discord rat.exe

  • Size

    79KB

  • MD5

    d13905e018eb965ded2e28ba0ab257b5

  • SHA1

    6d7fe69566fddc69b33d698591c9a2c70d834858

  • SHA256

    2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

  • SHA512

    b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

  • SSDEEP

    1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU

Malware Config

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe
    "C:\Users\Admin\AppData\Local\Temp\Release\Discord rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1848
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4200

    Network

    • flag-us
      DNS
      gateway.discord.gg
      Discord rat.exe
      Remote address:
      8.8.8.8:53
      Request
      gateway.discord.gg
      IN A
      Response
      gateway.discord.gg
      IN A
      162.159.130.234
      gateway.discord.gg
      IN A
      162.159.135.234
      gateway.discord.gg
      IN A
      162.159.133.234
      gateway.discord.gg
      IN A
      162.159.134.234
      gateway.discord.gg
      IN A
      162.159.136.234
    • flag-us
      DNS
      gateway.discord.gg
      Discord rat.exe
      Remote address:
      8.8.8.8:53
      Request
      gateway.discord.gg
      IN A
    • flag-us
      GET
      https://gateway.discord.gg/?v=9&encording=json
      Discord rat.exe
      Remote address:
      162.159.130.234:443
      Request
      GET /?v=9&encording=json HTTP/1.1
      Connection: Upgrade,Keep-Alive
      Upgrade: websocket
      Sec-WebSocket-Key: 6rCqofVCurTWap14Yfz+Dw==
      Sec-WebSocket-Version: 13
      Host: gateway.discord.gg
      Response
      HTTP/1.1 101 Switching Protocols
      Date: Sat, 17 Aug 2024 12:35:52 GMT
      Connection: upgrade
      sec-websocket-accept: /KaAl+0RkO91DXvbne73cewV3d4=
      upgrade: websocket
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mFUNXwAR5%2FXc76%2FuD0WxK6s9lq5KUtFXjVwYcIx2YZLDQ8qX22BkQPkDZMPs%2FjC3%2FlKriPl0LRUkgZEjolzDijA3sB3SksheZJRBr4qgDv%2BO35sCQv0XQ%2BIgrV5%2BQJpd3HoGtw%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      X-Content-Type-Options: nosniff
      Server: cloudflare
      CF-RAY: 8b49b4d99a584188-LHR
    • flag-us
      DNS
      234.130.159.162.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      234.130.159.162.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      30.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      30.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      25.73.42.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      25.73.42.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • 162.159.130.234:443
      https://gateway.discord.gg/?v=9&encording=json
      tls, http
      Discord rat.exe
      1.8kB
      4.4kB
      15
      14

      HTTP Request

      GET https://gateway.discord.gg/?v=9&encording=json

      HTTP Response

      101
    • 8.8.8.8:53
      gateway.discord.gg
      dns
      Discord rat.exe
      128 B
      144 B
      2
      1

      DNS Request

      gateway.discord.gg

      DNS Request

      gateway.discord.gg

      DNS Response

      162.159.130.234
      162.159.135.234
      162.159.133.234
      162.159.134.234
      162.159.136.234

    • 8.8.8.8:53
      234.130.159.162.in-addr.arpa
      dns
      74 B
      136 B
      1
      1

      DNS Request

      234.130.159.162.in-addr.arpa

    • 8.8.8.8:53
      30.243.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      30.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      25.73.42.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      25.73.42.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1848-0-0x00007FFD9F733000-0x00007FFD9F734000-memory.dmp

      Filesize

      4KB

    • memory/1848-1-0x0000016FD29A0000-0x0000016FD29B8000-memory.dmp

      Filesize

      96KB

    • memory/1848-2-0x0000016FED020000-0x0000016FED1E2000-memory.dmp

      Filesize

      1.8MB

    • memory/1848-3-0x00007FFD9F730000-0x00007FFDA011C000-memory.dmp

      Filesize

      9.9MB

    • memory/1848-4-0x0000016FED820000-0x0000016FEDD46000-memory.dmp

      Filesize

      5.1MB

    • memory/1848-5-0x00007FFD9F733000-0x00007FFD9F734000-memory.dmp

      Filesize

      4KB

    • memory/1848-6-0x00007FFD9F730000-0x00007FFDA011C000-memory.dmp

      Filesize

      9.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.