discordrat | 6a88e4cd73a6a4b7768b1df63aa7ff54d911568d3cd62d88c4b447cec1cb1ff2

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 00:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ImageLogger-cleaned.exe
Size

78KB
MD5

8460a2ac97b2c6d2658664c718f84533
SHA1

110f9849759ff8b034fdf0eb36445c37187858af
SHA256

6a88e4cd73a6a4b7768b1df63aa7ff54d911568d3cd62d88c4b447cec1cb1ff2
SHA512

2286e4429ac1e829150db13b9896c9f6db7d6da4b2003742c831edfd2a21e29565e87bd97a9ef98802f20239d9c89139c5026a331506d4f24da4bd8f4a19affe
SSDEEP

1536:2a/yGXNiPw3iU8Bz/oNrfxCXhRoKV6+V+kPIZ:lEzgNrmAE+4IZ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5NzUzOTkxNjAxNTg2NTkwNw.Gfdmm0.1DHqcqM266sEW3k8XieYxIORIkysBrFHb6r-3Q
server_id
1297365710649036921

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2056	ImageLogger-cleaned.exe

C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe
"C:\Users\Admin\AppData\Local\Temp\ImageLogger-cleaned.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

Network

DNS

gateway.discord.gg

ImageLogger-cleaned.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.130.234
GET

https://gateway.discord.gg/?v=9&encording=json

ImageLogger-cleaned.exe

Remote address:

162.159.136.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: yNycUPc+K2sA5WCElJN4dg==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Sun, 26 Jan 2025 00:44:49 GMT
Connection: upgrade
sec-websocket-accept: rRzKYN6Aqe/KloRJojzu9TTsjBw=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lMRto7UP%2FyB9Kkdbc0JoxtHnWRmQ%2F0FzptnkPJpmo3pTZzh11ziGhDMzItvTa9h6jnCR6CXYLrMiMOo6tZ6aTnik%2B2IM9L7rFZaw3G8tIp2WSDNajZJ7EouRdvrSxZPec3ikkg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 907c7a05fe00657a-LHR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

234.136.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.136.159.162.in-addr.arpa

IN PTR

Response
DNS

23.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.159.190.20.in-addr.arpa

IN PTR

Response
DNS

167.173.78.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

167.173.78.104.in-addr.arpa

IN PTR

Response

167.173.78.104.in-addr.arpa

IN PTR

a104-78-173-167deploystaticakamaitechnologiescom
DNS

13.86.106.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.86.106.20.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

206.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

206.23.85.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

218.110.86.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

218.110.86.104.in-addr.arpa

IN PTR

Response

218.110.86.104.in-addr.arpa

IN PTR

a104-86-110-218deploystaticakamaitechnologiescom
DNS

202.110.86.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

202.110.86.104.in-addr.arpa

IN PTR

Response

202.110.86.104.in-addr.arpa

IN PTR

a104-86-110-202deploystaticakamaitechnologiescom
DNS

22.236.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

22.236.111.52.in-addr.arpa

IN PTR

Response

162.159.136.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

ImageLogger-cleaned.exe

1.2kB
4.5kB
11
14

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101

8.8.8.8:53

gateway.discord.gg

dns

ImageLogger-cleaned.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.136.234

162.159.135.234

162.159.133.234

162.159.134.234

162.159.130.234
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

234.136.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

234.136.159.162.in-addr.arpa
8.8.8.8:53

23.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

23.159.190.20.in-addr.arpa
8.8.8.8:53

167.173.78.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

167.173.78.104.in-addr.arpa
8.8.8.8:53

13.86.106.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

13.86.106.20.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

206.23.85.13.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

206.23.85.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

218.110.86.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

218.110.86.104.in-addr.arpa
8.8.8.8:53

202.110.86.104.in-addr.arpa

dns

73 B
139 B
1
1

DNS Request

202.110.86.104.in-addr.arpa
8.8.8.8:53

22.236.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

22.236.111.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-0-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/2056-1-0x000002521E2B0000-0x000002521E2C8000-memory.dmp

Filesize
96KB

Download
memory/2056-2-0x0000025238A70000-0x0000025238C32000-memory.dmp

Filesize
1.8MB

Download
memory/2056-3-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/2056-4-0x0000025239170000-0x0000025239698000-memory.dmp

Filesize
5.2MB

Download
memory/2056-5-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/2056-6-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.