Resubmissions
07-11-2024 17:59
241107-wksehawmb1 1006-11-2024 11:31
241106-nm7m7szapg 1005-11-2024 22:04
241105-1y6aqsynhv 1005-11-2024 21:53
241105-1rm6ksyhqe 1004-11-2024 20:03
241104-ysp1fsvrfz 1004-11-2024 20:03
241104-yspppaypcq 1004-11-2024 20:03
241104-ysn36aypcp 1004-11-2024 20:03
241104-ysnsdswhmm 1004-11-2024 20:03
241104-ysm6vswhml 10Analysis
-
max time kernel
30s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 17:59
Behavioral task
behavioral1
Sample
ImageLogger-cleaned.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
ImageLogger-cleaned.exe
Resource
win10v2004-20241007-en
General
-
Target
ImageLogger-cleaned.exe
-
Size
78KB
-
MD5
8460a2ac97b2c6d2658664c718f84533
-
SHA1
110f9849759ff8b034fdf0eb36445c37187858af
-
SHA256
6a88e4cd73a6a4b7768b1df63aa7ff54d911568d3cd62d88c4b447cec1cb1ff2
-
SHA512
2286e4429ac1e829150db13b9896c9f6db7d6da4b2003742c831edfd2a21e29565e87bd97a9ef98802f20239d9c89139c5026a331506d4f24da4bd8f4a19affe
-
SSDEEP
1536:2a/yGXNiPw3iU8Bz/oNrfxCXhRoKV6+V+kPIZ:lEzgNrmAE+4IZ
Malware Config
Extracted
discordrat
-
discord_token
MTI5NzUzOTkxNjAxNTg2NTkwNw.Gfdmm0.1DHqcqM266sEW3k8XieYxIORIkysBrFHb6r-3Q
-
server_id
1297365710649036921
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1952 ImageLogger-cleaned.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestgateway.discord.ggIN AResponsegateway.discord.ggIN A162.159.135.234gateway.discord.ggIN A162.159.130.234gateway.discord.ggIN A162.159.133.234gateway.discord.ggIN A162.159.136.234gateway.discord.ggIN A162.159.134.234
-
Remote address:162.159.135.234:443RequestGET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: +HluLNrb4uiERwIJQwCATA==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg
ResponseHTTP/1.1 101 Switching Protocols
Connection: upgrade
sec-websocket-accept: rQ1sCTbAr8AYMW7bTZY1KOycNNE=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NQMZGssYsCYqODJCYa7QITeWKcGAwhm5J%2FfVuotZ%2B9s3GCFH%2BCifnJQj5YU43v9ADOayYnXfbAmVrz68VCBSz3JsO88bWTnqtWXrnH2A3YzJRKn9AhHBcW6kv1CCyy3h%2BRXDPA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8dd681afcbea947c-LHR
-
Remote address:8.8.8.8:53Request234.135.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.209.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
162.159.135.234:443https://gateway.discord.gg/?v=9&encording=jsontls, httpImageLogger-cleaned.exe1.5kB 4.8kB 12 14
HTTP Request
GET https://gateway.discord.gg/?v=9&encording=jsonHTTP Response
101
-
64 B 144 B 1 1
DNS Request
gateway.discord.gg
DNS Response
162.159.135.234162.159.130.234162.159.133.234162.159.136.234162.159.134.234
-
74 B 136 B 1 1
DNS Request
234.135.159.162.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
73 B 133 B 1 1
DNS Request
103.209.201.84.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-