Resubmissions

07-11-2024 17:59

241107-wksehawmb1 10

06-11-2024 11:31

241106-nm7m7szapg 10

05-11-2024 22:04

241105-1y6aqsynhv 10

05-11-2024 21:53

241105-1rm6ksyhqe 10

04-11-2024 20:03

241104-ysp1fsvrfz 10

04-11-2024 20:03

241104-yspppaypcq 10

04-11-2024 20:03

241104-ysn36aypcp 10

04-11-2024 20:03

241104-ysnsdswhmm 10

04-11-2024 20:03

241104-ysm6vswhml 10

Analysis

  • max time kernel
    30s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 17:59

General

  • Target

    ImageLogger-cleaned.exe

  • Size

    78KB

  • MD5

    8460a2ac97b2c6d2658664c718f84533

  • SHA1

    110f9849759ff8b034fdf0eb36445c37187858af

  • SHA256

    6a88e4cd73a6a4b7768b1df63aa7ff54d911568d3cd62d88c4b447cec1cb1ff2

  • SHA512

    2286e4429ac1e829150db13b9896c9f6db7d6da4b2003742c831edfd2a21e29565e87bd97a9ef98802f20239d9c89139c5026a331506d4f24da4bd8f4a19affe

  • SSDEEP

    1536:2a/yGXNiPw3iU8Bz/oNrfxCXhRoKV6+V+kPIZ:lEzgNrmAE+4IZ

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTI5NzUzOTkxNjAxNTg2NTkwNw.Gfdmm0.1DHqcqM266sEW3k8XieYxIORIkysBrFHb6r-3Q

  • server_id

    1297365710649036921

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

  • Discordrat family
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe
    "C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1952

Network

  • flag-us
    DNS
    gateway.discord.gg
    ImageLogger-cleaned.exe
    Remote address:
    8.8.8.8:53
    Request
    gateway.discord.gg
    IN A
    Response
    gateway.discord.gg
    IN A
    162.159.135.234
    gateway.discord.gg
    IN A
    162.159.130.234
    gateway.discord.gg
    IN A
    162.159.133.234
    gateway.discord.gg
    IN A
    162.159.136.234
    gateway.discord.gg
    IN A
    162.159.134.234
  • flag-us
    GET
    https://gateway.discord.gg/?v=9&encording=json
    ImageLogger-cleaned.exe
    Remote address:
    162.159.135.234:443
    Request
    GET /?v=9&encording=json HTTP/1.1
    Connection: Upgrade,Keep-Alive
    Upgrade: websocket
    Sec-WebSocket-Key: +HluLNrb4uiERwIJQwCATA==
    Sec-WebSocket-Version: 13
    Host: gateway.discord.gg
    Response
    HTTP/1.1 101 Switching Protocols
    Date: Mon, 04 Nov 2024 18:00:57 GMT
    Connection: upgrade
    sec-websocket-accept: rQ1sCTbAr8AYMW7bTZY1KOycNNE=
    upgrade: websocket
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NQMZGssYsCYqODJCYa7QITeWKcGAwhm5J%2FfVuotZ%2B9s3GCFH%2BCifnJQj5YU43v9ADOayYnXfbAmVrz68VCBSz3JsO88bWTnqtWXrnH2A3YzJRKn9AhHBcW6kv1CCyy3h%2BRXDPA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    X-Content-Type-Options: nosniff
    Server: cloudflare
    CF-RAY: 8dd681afcbea947c-LHR
  • flag-us
    DNS
    234.135.159.162.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    234.135.159.162.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.156.103.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.156.103.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • 162.159.135.234:443
    https://gateway.discord.gg/?v=9&encording=json
    tls, http
    ImageLogger-cleaned.exe
    1.5kB
    4.8kB
    12
    14

    HTTP Request

    GET https://gateway.discord.gg/?v=9&encording=json

    HTTP Response

    101
  • 8.8.8.8:53
    gateway.discord.gg
    dns
    ImageLogger-cleaned.exe
    64 B
    144 B
    1
    1

    DNS Request

    gateway.discord.gg

    DNS Response

    162.159.135.234
    162.159.130.234
    162.159.133.234
    162.159.136.234
    162.159.134.234

  • 8.8.8.8:53
    234.135.159.162.in-addr.arpa
    dns
    74 B
    136 B
    1
    1

    DNS Request

    234.135.159.162.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    103.209.201.84.in-addr.arpa
    dns
    73 B
    133 B
    1
    1

    DNS Request

    103.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    88.156.103.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    88.156.103.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1952-0-0x00007FFF612E3000-0x00007FFF612E5000-memory.dmp

    Filesize

    8KB

  • memory/1952-1-0x000001A7959F0000-0x000001A795A08000-memory.dmp

    Filesize

    96KB

  • memory/1952-2-0x000001A7B0100000-0x000001A7B02C2000-memory.dmp

    Filesize

    1.8MB

  • memory/1952-3-0x00007FFF612E0000-0x00007FFF61DA1000-memory.dmp

    Filesize

    10.8MB

  • memory/1952-4-0x000001A7B0900000-0x000001A7B0E28000-memory.dmp

    Filesize

    5.2MB

  • memory/1952-5-0x00007FFF612E0000-0x00007FFF61DA1000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.