Analysis
-
max time kernel
101s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 16:55 UTC
Behavioral task
behavioral1
Sample
d7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e.exe
Resource
win10v2004-20250129-en
General
-
Target
d7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e.exe
-
Size
78KB
-
MD5
9e4738a557e8bc2bf74a9918fb0deb52
-
SHA1
60552388e129ef942f034a7b4d12094b72a3c76d
-
SHA256
d7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e
-
SHA512
60f8439a4bb534f78b2c495163b6fbce9593f1572cea84d7934992067f774aee0401c578c96cf3ac3957e4cab7ca4318632a19161d91f440f83b5a7edc250e7e
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+dPICB:5Zv5PDwbjNrmAE+NICB
Malware Config
Extracted
discordrat
-
discord_token
MTMzNDg2ODQ0OTQ4MjI0ODI1NA.Gfn3Zp.JLsMt1DJyl2BRKGnfJyJCStA144I28izJVPav8
-
server_id
1335159502953254943
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2680 d7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestgateway.discord.ggIN AResponsegateway.discord.ggIN A162.159.133.234gateway.discord.ggIN A162.159.130.234gateway.discord.ggIN A162.159.134.234gateway.discord.ggIN A162.159.136.234gateway.discord.ggIN A162.159.135.234
-
GEThttps://gateway.discord.gg/?v=9&encording=jsond7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e.exeRemote address:162.159.133.234:443RequestGET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: slusQmLT1MVM1NBRTOvX7w==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg
ResponseHTTP/1.1 101 Switching Protocols
Connection: upgrade
sec-websocket-accept: C5L3KNo4d2xfAPxJj4t9oxcUI7Q=
upgrade: websocket
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ljl1ZtvF7b%2FzrRP%2F84Nl%2BWueGQY7XvoSoPBj7%2FegOBJ3aWPBqaO9QaKRmXGIXQijWtymNCEUgBb%2Fflly8BwGbt3rYSN%2FuQzDfqvQ0mt7l%2B%2ByFobvU43HDpfEVwVTl8Kf3O30Eg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 90d46d88ad1b3d88-LHR
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request234.133.159.162.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request4.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request167.173.78.104.in-addr.arpaIN PTRResponse167.173.78.104.in-addr.arpaIN PTRa104-78-173-167deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request166.190.18.2.in-addr.arpaIN PTRResponse166.190.18.2.in-addr.arpaIN PTRa2-18-190-166deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request88.210.23.2.in-addr.arpaIN PTRResponse88.210.23.2.in-addr.arpaIN PTRa2-23-210-88deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.27.10ax-0001.ax-msedge.netIN A150.171.28.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783922_1P8P4SILGVABIECBS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340783922_1P8P4SILGVABIECBS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 520601
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 60AC68029B0A4B71BDF3F9A543B20088 Ref B: LON04EDGE1118 Ref C: 2025-02-05T16:57:03Z
date: Wed, 05 Feb 2025 16:57:02 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239400979857_14A87O62ZUJXBN0IX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239400979857_14A87O62ZUJXBN0IX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 364778
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EECDB80E1ED24AA28BBB3BA529F73758 Ref B: LON04EDGE1118 Ref C: 2025-02-05T16:57:03Z
date: Wed, 05 Feb 2025 16:57:02 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239400979856_1C4ONTMUVBZM2U4CN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239400979856_1C4ONTMUVBZM2U4CN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 485173
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4E5E26A1C45F43F0A9BDF8AA4795AFD0 Ref B: LON04EDGE1118 Ref C: 2025-02-05T16:57:03Z
date: Wed, 05 Feb 2025 16:57:02 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388216_1SP7N5FKYH04QEW3Y&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388216_1SP7N5FKYH04QEW3Y&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 533604
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5D3F686C1FE0468BBF2643B43348E6B6 Ref B: LON04EDGE1118 Ref C: 2025-02-05T16:57:03Z
date: Wed, 05 Feb 2025 16:57:02 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340783923_1O9T0OORJJUW96HF9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239340783923_1O9T0OORJJUW96HF9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 434384
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7788DE560B3A401FA4B9AE786F924414 Ref B: LON04EDGE1118 Ref C: 2025-02-05T16:57:03Z
date: Wed, 05 Feb 2025 16:57:02 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388217_1U4N1IRR5P78Z350M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.27.10:443RequestGET /th?id=OADD2.10239339388217_1U4N1IRR5P78Z350M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 374313
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A3894A15565A4F778C9FAC7E80037A2A Ref B: LON04EDGE1118 Ref C: 2025-02-05T16:57:04Z
date: Wed, 05 Feb 2025 16:57:03 GMT
-
162.159.133.234:443https://gateway.discord.gg/?v=9&encording=jsontls, httpd7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e.exe1.2kB 4.5kB 11 14
HTTP Request
GET https://gateway.discord.gg/?v=9&encording=jsonHTTP Response
101 -
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
1.2kB 6.9kB 15 13
-
150.171.27.10:443https://tse1.mm.bing.net/th?id=OADD2.10239339388217_1U4N1IRR5P78Z350M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2115.5kB 2.8MB 2036 2030
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783922_1P8P4SILGVABIECBS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239400979857_14A87O62ZUJXBN0IX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239400979856_1C4ONTMUVBZM2U4CN&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388216_1SP7N5FKYH04QEW3Y&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340783923_1O9T0OORJJUW96HF9&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388217_1U4N1IRR5P78Z350M&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200
-
8.8.8.8:53gateway.discord.ggdnsd7acea46b8e52588087f38b54d354b69d37e376c4c58c655ef6e0c2a6aaedd1e.exe64 B 144 B 1 1
DNS Request
gateway.discord.gg
DNS Response
162.159.133.234162.159.130.234162.159.134.234162.159.136.234162.159.135.234
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
74 B 136 B 1 1
DNS Request
234.133.159.162.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
4.160.190.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
167.173.78.104.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
166.190.18.2.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.236.111.52.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
88.210.23.2.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.27.10150.171.28.10