discordrat | 0300fd4f30013254015adcfa071a76c238b89d0b5c0bb78edf1b3db4bb67ac59

Analysis

max time kernel
10s
max time network
3s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
31/01/2025, 13:13 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

cac3ad4234efc39e0e9042c55d9f864c
SHA1

dc8ab47b9aa08d0fe7451f37bd65d17a614b949a
SHA256

0300fd4f30013254015adcfa071a76c238b89d0b5c0bb78edf1b3db4bb67ac59
SHA512

33920c4ca715e60f1d504d081670a44a21817acce93028f7fe33b096ffb1fe437a46241a6fe10c89276c9a652bf41d1f8701c63a3f3d2dfdd51ce4532f4b3dc4
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+PPIC:5Zv5PDwbjNrmAE+3IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNDg2ODQ0OTQ4MjI0ODI1NA.GqRuir.m1LgjbdeFUMKWpZprOQy-MTZpg_vlVOqClUMFo
server_id
1334873666978189427

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700

Network

DNS

gateway.discord.gg

Client-built.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.130.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.136.234
GET

https://gateway.discord.gg/?v=9&encording=json

Client-built.exe

Remote address:

162.159.134.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: deRmW0B1lD/7qldZYtDHyA==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Fri, 31 Jan 2025 13:14:06 GMT
Connection: upgrade
sec-websocket-accept: 1iMD5BDRbxCAdF6gXaFlvuBul6Y=
upgrade: websocket
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ONw213TQOUoNJNGq5HOe9OK%2Bu8qIZ2zLJNnAkaHzwx0nU4QbIoY4ikPpc24C%2B15UX54sSWT9uXrc9aHEwtS2ZXYApncsZ9fNpiHbjzXlWv7ZqX2z1XEseYlPlQfw03IkzdAU7A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 90a9f67f9c18949f-LHR
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

234.134.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.134.159.162.in-addr.arpa

IN PTR

Response

162.159.134.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

Client-built.exe

1.1kB
4.5kB
10
13

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101

8.8.8.8:53

gateway.discord.gg

dns

Client-built.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.134.234

162.159.130.234

162.159.135.234

162.159.133.234

162.159.136.234
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

234.134.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

234.134.159.162.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-0-0x00007FFBDDB13000-0x00007FFBDDB15000-memory.dmp

Filesize
8KB

Download
memory/1700-1-0x000001BBA21E0000-0x000001BBA21F8000-memory.dmp

Filesize
96KB

Download
memory/1700-2-0x000001BBBC820000-0x000001BBBC9E2000-memory.dmp

Filesize
1.8MB

Download
memory/1700-3-0x00007FFBDDB10000-0x00007FFBDE5D2000-memory.dmp

Filesize
10.8MB

Download
memory/1700-4-0x000001BBBD020000-0x000001BBBD548000-memory.dmp

Filesize
5.2MB

Download
memory/1700-5-0x00007FFBDDB13000-0x00007FFBDDB15000-memory.dmp

Filesize
8KB

Download
memory/1700-6-0x00007FFBDDB10000-0x00007FFBDE5D2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.