discordrat | 7c52f297d8d829076e1607c1b7a7a5e584adef82a01e2520dabe6ca801fb55ed

Resubmissions

03/02/2025, 17:08 UTC

250203-vny6saxlev 10

03/02/2025, 17:07 UTC

250203-vm5beayqap 10

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2025, 17:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

61cc66d0b245e378647cfe3a56a51814
SHA1

b097cfda475efe6f4819b6c2db99caf744632f2f
SHA256

7c52f297d8d829076e1607c1b7a7a5e584adef82a01e2520dabe6ca801fb55ed
SHA512

422a99ce926f2793bff05837e9a226c937a89f59b221b0f9b346a1e7d32f423d2a3b6d8efe87111164884ef3983b6e50aace751531998c4574ea5b2e96da4b74
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+fPIC:5Zv5PDwbjNrmAE+nIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwODUzODYxNDg0MTM0NDAyMQ.GZlTOB.ShLTCmYqgKpUZGmBxJbpfXARUmaxc_aOPfIYyU
server_id
1336013454258995351

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4644	vlc.exe
876	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4644	vlc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	Client-built.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe
4644	vlc.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4644	vlc.exe
876	EXCEL.EXE
876	EXCEL.EXE
876	EXCEL.EXE
876	EXCEL.EXE
876	EXCEL.EXE
876	EXCEL.EXE
876	EXCEL.EXE
876	EXCEL.EXE
876	EXCEL.EXE

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3832

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\InitializeRepair.MTS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\InvokeApprove.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:876

Network

DNS

gateway.discord.gg

Client-built.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.130.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.133.234
GET

https://gateway.discord.gg/?v=9&encording=json

Client-built.exe

Remote address:

162.159.134.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: FNJQYDLXYCK6dVsUcacBsQ==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Mon, 03 Feb 2025 17:09:03 GMT
Connection: upgrade
sec-websocket-accept: GuilOV2xuB/+aMQj7oO6mFX41QI=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TFA3id1RsVri1crCPhsMGlgCpltlpzhbGeAsQ0AlKk05phkHAex%2FO5zi%2F9YGiGMlyhG3i%2FXpwnZULZD9hZjUGq4LhUsAJLE%2Bwyf6xxxQQ71FLUWsA%2FVB%2B5NdzWRAqT9s5NTpjQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 90c406c9fe2677b8-LHR
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

234.134.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.134.159.162.in-addr.arpa

IN PTR

Response
DNS

73.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

73.144.22.2.in-addr.arpa

IN PTR

Response

73.144.22.2.in-addr.arpa

IN PTR

a2-22-144-73deploystaticakamaitechnologiescom
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

5.114.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR

Response

5.114.82.104.in-addr.arpa

IN PTR

a104-82-114-5deploystaticakamaitechnologiescom
DNS

198.187.3.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.187.3.20.in-addr.arpa

IN PTR

Response
DNS

197.87.175.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

197.87.175.4.in-addr.arpa

IN PTR

Response
DNS

96.252.19.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.252.19.2.in-addr.arpa

IN PTR

Response

96.252.19.2.in-addr.arpa

IN PTR

a2-19-252-96deploystaticakamaitechnologiescom
DNS

13.153.16.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

13.153.16.2.in-addr.arpa

IN PTR

Response

13.153.16.2.in-addr.arpa

IN PTR

a2-16-153-13deploystaticakamaitechnologiescom
DNS

85.49.80.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.49.80.91.in-addr.arpa

IN PTR

Response
DNS

182.129.81.91.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.129.81.91.in-addr.arpa

IN PTR

Response
DNS

roaming.officeapps.live.com

EXCEL.EXE

Remote address:

8.8.8.8:53

Request

roaming.officeapps.live.com

IN A

Response

roaming.officeapps.live.com

IN CNAME

prod.roaming1.live.com.akadns.net

prod.roaming1.live.com.akadns.net

IN CNAME

eur.roaming1.live.com.akadns.net

eur.roaming1.live.com.akadns.net

IN CNAME

uks-azsc-000.roaming.officeapps.live.com

uks-azsc-000.roaming.officeapps.live.com

IN CNAME

osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com

osiprod-uks-buff-azsc-000.uksouth.cloudapp.azure.com

IN A

52.109.28.47
POST

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

EXCEL.EXE

Remote address:

52.109.28.47:443

Request

POST /rs/RoamingSoapService.svc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: text/xml; charset=utf-8
User-Agent: MS-WebServices/1.0
SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
Content-Length: 511
Host: roaming.officeapps.live.com

Response

HTTP/1.1 200 OK

Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/10.0
X-OfficeFE: RoamingFE_IN_33
X-OfficeVersion: 16.0.18527.30575
X-OfficeCluster: uks-000.roaming.officeapps.live.com
Content-Security-Policy-Report-Only: script-src 'nonce-Lr3h60ZiI14WlCydIiRCEVQhKMNBpLJgG835jKxDsWdQcJXiY43Z1OD8uMP9UJjfmIx3HpznX2GpN904AcsgrcMIt5Snv44w4v/oD22DekJC7LHk1L05X1+nmQcrBNDfa8YlD72G2yrjoDPIWB3Ib9BotPIlEALZCPM7wbAM15s=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod; frame-ancestors 'none';
X-Frame-Options: Deny
X-CorrelationId: ca445b24-8900-44ac-bd8d-4849d225b5d2
X-Powered-By: ASP.NET
Date: Mon, 03 Feb 2025 17:11:25 GMT
Content-Length: 654
DNS

97.32.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.32.109.52.in-addr.arpa

IN PTR

Response
DNS

47.28.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

47.28.109.52.in-addr.arpa

IN PTR

Response

162.159.134.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

Client-built.exe

1.3kB
4.5kB
12
14

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101
52.109.28.47:443

https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

tls, http

EXCEL.EXE

1.8kB
8.3kB
12
11

HTTP Request

POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

HTTP Response

200

8.8.8.8:53

gateway.discord.gg

dns

Client-built.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.134.234

162.159.136.234

162.159.130.234

162.159.135.234

162.159.133.234
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

234.134.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

234.134.159.162.in-addr.arpa
8.8.8.8:53

73.144.22.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

73.144.22.2.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

5.114.82.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

5.114.82.104.in-addr.arpa
8.8.8.8:53

198.187.3.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

198.187.3.20.in-addr.arpa
8.8.8.8:53

197.87.175.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

197.87.175.4.in-addr.arpa
8.8.8.8:53

96.252.19.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

96.252.19.2.in-addr.arpa
8.8.8.8:53

13.153.16.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

13.153.16.2.in-addr.arpa
8.8.8.8:53

85.49.80.91.in-addr.arpa

dns

70 B
145 B
1
1

DNS Request

85.49.80.91.in-addr.arpa
8.8.8.8:53

182.129.81.91.in-addr.arpa

dns

72 B
147 B
1
1

DNS Request

182.129.81.91.in-addr.arpa
8.8.8.8:53

roaming.officeapps.live.com

dns

EXCEL.EXE

73 B
244 B
1
1

DNS Request

roaming.officeapps.live.com

DNS Response

52.109.28.47
8.8.8.8:53

97.32.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.32.109.52.in-addr.arpa
8.8.8.8:53

47.28.109.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

47.28.109.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
83B

MD5
366480bd727fd4904c29eebce4bd875a

SHA1
c1eb162f4461d160d276f56f00609977927ef081

SHA256
4f07847824097c98f99d5d732bbc2842c23e676fe2a64f39c5451a0b37b07c20

SHA512
06a6ff451ca1509087e386b0ffc206345648c6cd088217ed20074c56ae657e34e6de7be37a347dd70e84992f9cd5b033e327fa34dfab2ad4aaba2c7ab179563e

Download Submit
memory/876-63-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

Filesize
64KB

Download
memory/876-57-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

Filesize
64KB

Download
memory/876-59-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

Filesize
64KB

Download
memory/876-58-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

Filesize
64KB

Download
memory/876-61-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

Filesize
64KB

Download
memory/876-60-0x00007FFD160B0000-0x00007FFD160C0000-memory.dmp

Filesize
64KB

Download
memory/876-62-0x00007FFD138B0000-0x00007FFD138C0000-memory.dmp

Filesize
64KB

Download
memory/1240-3-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

Filesize
10.8MB

Download
memory/1240-6-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

Filesize
10.8MB

Download
memory/1240-5-0x00007FFD37FB3000-0x00007FFD37FB5000-memory.dmp

Filesize
8KB

Download
memory/1240-4-0x000001E599060000-0x000001E599588000-memory.dmp

Filesize
5.2MB

Download
memory/1240-0-0x00007FFD37FB3000-0x00007FFD37FB5000-memory.dmp

Filesize
8KB

Download
memory/1240-2-0x000001E6001D0000-0x000001E600392000-memory.dmp

Filesize
1.8MB

Download
memory/1240-1-0x000001E5FE370000-0x000001E5FE388000-memory.dmp

Filesize
96KB

Download
memory/4644-27-0x00007FFD4A170000-0x00007FFD4A188000-memory.dmp

Filesize
96KB

Download
memory/4644-35-0x00007FFD2D4A0000-0x00007FFD2E550000-memory.dmp

Filesize
16.7MB

Download
memory/4644-26-0x00007FFD2FB30000-0x00007FFD2FDE6000-memory.dmp

Filesize
2.7MB

Download
memory/4644-30-0x00007FFD485C0000-0x00007FFD485D7000-memory.dmp

Filesize
92KB

Download
memory/4644-42-0x00007FFD2F5A0000-0x00007FFD2F5B1000-memory.dmp

Filesize
68KB

Download
memory/4644-41-0x00007FFD325A0000-0x00007FFD325B1000-memory.dmp

Filesize
68KB

Download
memory/4644-40-0x00007FFD330C0000-0x00007FFD330D1000-memory.dmp

Filesize
68KB

Download
memory/4644-39-0x00007FFD38F30000-0x00007FFD38F41000-memory.dmp

Filesize
68KB

Download
memory/4644-38-0x00007FFD3E270000-0x00007FFD3E288000-memory.dmp

Filesize
96KB

Download
memory/4644-37-0x00007FFD33460000-0x00007FFD33481000-memory.dmp

Filesize
132KB

Download
memory/4644-36-0x00007FFD330E0000-0x00007FFD33121000-memory.dmp

Filesize
260KB

Download
memory/4644-29-0x00007FFD48690000-0x00007FFD486A1000-memory.dmp

Filesize
68KB

Download
memory/4644-53-0x00007FF644E10000-0x00007FF644F08000-memory.dmp

Filesize
992KB

Download
memory/4644-55-0x00007FFD2FB30000-0x00007FFD2FDE6000-memory.dmp

Filesize
2.7MB

Download
memory/4644-54-0x00007FFD47D10000-0x00007FFD47D44000-memory.dmp

Filesize
208KB

Download
memory/4644-56-0x00007FFD2D4A0000-0x00007FFD2E550000-memory.dmp

Filesize
16.7MB

Download
memory/4644-31-0x00007FFD482D0000-0x00007FFD482E1000-memory.dmp

Filesize
68KB

Download
memory/4644-34-0x00007FFD2F920000-0x00007FFD2FB2B000-memory.dmp

Filesize
2.0MB

Download
memory/4644-32-0x00007FFD479B0000-0x00007FFD479CD000-memory.dmp

Filesize
116KB

Download
memory/4644-33-0x00007FFD47990000-0x00007FFD479A1000-memory.dmp

Filesize
68KB

Download
memory/4644-28-0x00007FFD48980000-0x00007FFD48997000-memory.dmp

Filesize
92KB

Download
memory/4644-24-0x00007FF644E10000-0x00007FF644F08000-memory.dmp

Filesize
992KB

Download
memory/4644-25-0x00007FFD47D10000-0x00007FFD47D44000-memory.dmp

Filesize
208KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.