Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Spoofer/Ha...er.exe

windows7-x64

10

Spoofer/Ha...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    3s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/08/2024, 22:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spoofer/Hardware Spoofer.exe

  • Size

    78KB

  • MD5

    ef0e02648400217a2439479006ea078e

  • SHA1

    59227c31761b27f1c5dab07c6ea6228946339ce3

  • SHA256

    9515c899651eb0f87902193c595ca7babd947ed36ce0f8c9515f41e6a4b2890b

  • SHA512

    46e4bce6d53d7845f6e3dd3a16e35797c5c4dcee453d21f967b7188b3b1218363b5a6b0a1ad460cf2a35a3114afa7c72858e3efc98fb2035d7191d1cda1af7bc

  • SSDEEP

    1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+EPIC:5Zv5PDwbjNrmAE+YIC

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTExODY1MTM0MDY5MjkzMDU4MA.GyYPbd.gv_mSClOMYmZ_EMjVhy1iGJpGBV4mylJ_ARxXk

  • server_id

    1118654792068251759

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Spoofer\Hardware Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Spoofer\Hardware Spoofer.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2668

Network

  • flag-us
    DNS
    gateway.discord.gg
    Hardware Spoofer.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
    Response
    gateway.discord.gg
    IN A
    162.159.130.234
    gateway.discord.gg
    IN A
    162.159.135.234
    gateway.discord.gg
    IN A
    162.159.133.234
    gateway.discord.gg
    IN A
    162.159.136.234
    gateway.discord.gg
    IN A
    162.159.134.234
  • flag-us
    GET
    https://gateway.discord.gg/?v=9&encording=json
    Hardware Spoofer.exe
    Remote address:
    162.159.130.234:443
    Request
    GET /?v=9&encording=json HTTP/1.1
    Connection: Upgrade,Keep-Alive
    Upgrade: websocket
    Sec-WebSocket-Key: pxCPbGoUPwvgezQecoZiPg==
    Sec-WebSocket-Version: 13
    Host: gateway.discord.gg
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Thu, 22 Aug 2024 22:54:39 GMT
    Connection: upgrade
    sec-websocket-accept: bawbGlnGiKDBlAnVNQcUc+6plks=
    upgrade: websocket
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fItfc7PVz8hw6EgBmSGb1oaT%2F5m6WORA9llpD4EV4h%2FqbhEIf2rJ4%2F%2BppStG7snStDFlNkiP54ANXzE5aySmGDpCiWA3RIqWEo2FCdwgGAy1eWSyettGO9etED2AUBpPftfk3Q%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8b76722758ddbec3-LHR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    234.130.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.130.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.159.190.20.in-addr.arpa
    IN PTR
    Response
  • 162.159.130.234:443
    https://gateway.discord.gg/?v=9&encording=json
    tls, http
    Hardware Spoofer.exe
    1.1kB
     4.2kB
     10
    12

    HTTP Request

    GET https://gateway.discord.gg/?v=9&encording=json

    HTTP Response

    101
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    Hardware Spoofer.exe
    64 B
     144 B
     1
    1

    DNS Request

    gateway.discord.gg

    DNS Response

    162.159.130.234
    162.159.135.234
    162.159.133.234
    162.159.136.234
    162.159.134.234

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    234.130.159.162.in-addr.arpa
    dns
    74 B
     136 B
     1
    1

    DNS Request

    234.130.159.162.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    75.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    75.159.190.20.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2668-0-0x00007FFA0FF63000-0x00007FFA0FF65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2668-1-0x0000018694490000-0x00000186944A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2668-2-0x00000186AEA20000-0x00000186AEBE2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2668-3-0x00007FFA0FF60000-0x00007FFA10A21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2668-4-0x00000186AF260000-0x00000186AF788000-memory.dmp

    Filesize

    5.2MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.