discordrat | 88d0b715a36832b0e69d30b180dd927800969ab1f0e3b21e584cd8033373dcca

Analysis

max time kernel
103s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

7943c195a125d0684b7f139d22485d30
SHA1

d8e99c1d9c3fc1b3d54932510e8c15ef35326610
SHA256

88d0b715a36832b0e69d30b180dd927800969ab1f0e3b21e584cd8033373dcca
SHA512

1c563a84162fed409ed9dcd5c76c031ebf03ed0309f554ff7662421412ea213d310dd01fa5e8dfa4256bfe71ca5406d759446006cb13c36b84c974d0b48befff
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+UPIC:5Zv5PDwbjNrmAE+IIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM1NjI4MTg2NTE3ODMxNjgyMA.GeoxaT.ocqOcSIpXr6UreUuaB7hoXHmcnhfEknTw6-SuE
server_id
1356279473779245056

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

Network

DNS

gateway.discord.gg

Client-built.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.134.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.130.234
GET

https://gateway.discord.gg/?v=9&encording=json

Client-built.exe

Remote address:

162.159.136.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: 60fcObgFQjlzRo6AgZN3bg==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Mon, 31 Mar 2025 15:25:32 GMT
Connection: upgrade
sec-websocket-accept: +RLL8ZwaPIo2jLZ9Nj+Q7TvUVrs=
upgrade: websocket
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=96IhFkEhETzwZDpJJx%2BnrZWnz4kkK9fCO%2BwgedfiK2nIktYBVzciJhohu9V2Wd%2F7AWnFuI4XKekg%2F5npuf2HyFYELDJrw0JNcje4FH7zlnBgABwwNmVLdFRHyDvJRBn%2BrLHHjw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 9290dc245bc9639b-LHR
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388112_1D9RCOGNLARU8ARO7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388112_1D9RCOGNLARU8ARO7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 360094
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 61D55B26D45A4CF38F6DBDA890E249BB Ref B: LON04EDGE0608 Ref C: 2025-03-31T15:26:08Z
date: Mon, 31 Mar 2025 15:26:07 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360259211_1RHQV0P5DTUS9XFSL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360259211_1RHQV0P5DTUS9XFSL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 562299
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4AA8EF86804641AD90F9C6B7928897AC Ref B: LON04EDGE0608 Ref C: 2025-03-31T15:26:08Z
date: Mon, 31 Mar 2025 15:26:07 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360259212_1BAR08KBTVWDNYB0F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360259212_1BAR08KBTVWDNYB0F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 439394
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B3AAF152E02C4784A671E4517956AC79 Ref B: LON04EDGE0608 Ref C: 2025-03-31T15:26:08Z
date: Mon, 31 Mar 2025 15:26:08 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388111_1XGVGDXXGM4UED7TP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239339388111_1XGVGDXXGM4UED7TP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 305259
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2E574A166C5347A1A9F4448D130F8C12 Ref B: LON04EDGE0608 Ref C: 2025-03-31T15:26:08Z
date: Mon, 31 Mar 2025 15:26:08 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 439986
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5CF2FC52095E4196A46F40C375DBCD5F Ref B: LON04EDGE0608 Ref C: 2025-03-31T15:26:08Z
date: Mon, 31 Mar 2025 15:26:08 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.28.10:443

Request

GET /th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 258855
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9B83F87BA49F40D0B15CE560A9A401A6 Ref B: LON04EDGE0608 Ref C: 2025-03-31T15:26:08Z
date: Mon, 31 Mar 2025 15:26:08 GMT
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.187.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Mon, 31 Mar 2025 15:04:43 GMT
Expires: Mon, 31 Mar 2025 15:54:43 GMT
Age: 1311
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding

162.159.136.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

Client-built.exe

1.4kB
4.5kB
13
14

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.5kB
8.3kB
17
13
150.171.28.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

tls, http2

86.1kB
2.5MB
1782
1774

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388112_1D9RCOGNLARU8ARO7&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360259211_1RHQV0P5DTUS9XFSL&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360259212_1BAR08KBTVWDNYB0F&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388111_1XGVGDXXGM4UED7TP&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360615986_1M5N6Y5ACPFWCCI4D&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360615987_16QLWX2YIZJRGGD7R&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.5kB
8.3kB
18
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.5kB
8.3kB
17
13
150.171.28.10:443

tse1.mm.bing.net

tls, http2

1.4kB
8.4kB
17
14
142.250.187.227:80

http://c.pki.goog/r/r1.crl

http

476 B
395 B
6
4

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

gateway.discord.gg

dns

Client-built.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.136.234

162.159.134.234

162.159.133.234

162.159.135.234

162.159.130.234
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.227

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2988-1-0x000002BDD0A40000-0x000002BDD0A58000-memory.dmp

Filesize
96KB

Download
memory/2988-0-0x00007FF870A53000-0x00007FF870A55000-memory.dmp

Filesize
8KB

Download
memory/2988-2-0x000002BDEB040000-0x000002BDEB202000-memory.dmp

Filesize
1.8MB

Download
memory/2988-3-0x00007FF870A50000-0x00007FF871511000-memory.dmp

Filesize
10.8MB

Download
memory/2988-4-0x000002BDEB980000-0x000002BDEBEA8000-memory.dmp

Filesize
5.2MB

Download
memory/2988-5-0x00007FF870A50000-0x00007FF871511000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.