MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbdeed3080cd1b935ca88c373f35773ba155fda38738f4808804aa90d22c71b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



DiscordRAT


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash: dbdeed3080cd1b935ca88c373f35773ba155fda38738f4808804aa90d22c71b0
SHA3-384 hash: 9117a7b47f8808215e78bdebe68eb8c8ca1ea8acad7ea89b087e33ff0a3e8dd2c5823fd8631e6429fabe46f51c023650
SHA1 hash: b0314b1fa0ae07773164beadcfbd6f085d44d63a
MD5 hash: 95131b6be8b73ef20bda266a2ff193f9
humanhash: butter-arkansas-idaho-michigan
File name:RedTiger-Tools-main-2.0.exe
Download: download sample
Signature DiscordRAT
File size:80'384 bytes
First seen:2026-04-14 17:12:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+wPIC:5Zv5PDwbjNrmAE+0IC
Threatray 232 similar samples on MalwareBazaar
TLSH T19773B8C877AD8903FBBF5EBD147141524B72BB17E935F68D088C54E611A2B828C42B9B
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:DiscordRAT exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
160
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
DiscordRAT
Details
DiscordRAT
Discord Webhook and guild ID, and download URLs
Malware family:
n/a
ID:
1
File name:
RedTiger-Tools-main-2.0.exe
Verdict:
Malicious activity
Analysis date:
2026-04-14 17:10:39 UTC
Tags:
websocket discord exfiltration stealer evasion discordrat rat

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.2%
Tags:
dropper virus msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 blacknet cmd dllhost fingerprint hacktool installer-heuristic lolbin net netsh packed reconnaissance schtasks soft-404 stealer
Verdict:
Malicious
Labled as:
Application.MSILheracles.Generic
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-04-14T14:14:00Z UTC
Last seen:
2026-04-14T21:47:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Injuke.pflk HEUR:Exploit.MSIL.UAC.gen HEUR:Backdoor.MSIL.DiscoRat.gen
Result
Threat name:
Discord Rat
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Signature
.NET source code contains potential unpacker
Contains functionality to disable the Task Manager (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Yara detected Discord Rat
Behaviour
Behavior Graph:
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Msilheracles
Status:
Malicious
First seen:
2026-04-14 17:10:42 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Result
Malware family:
discordrat
Score:
  10/10
Tags:
family:discordrat persistence rat rootkit stealer
Behaviour
Suspicious use of AdjustPrivilegeToken
Family: Discord RAT
Unpacked files
SH256 hash:
dbdeed3080cd1b935ca88c373f35773ba155fda38738f4808804aa90d22c71b0
MD5 hash:
95131b6be8b73ef20bda266a2ff193f9
SHA1 hash:
b0314b1fa0ae07773164beadcfbd6f085d44d63a
Detections:
DiscordRAT2
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:discordrat_v1
Author:RandomMalware
Rule name:Discord_RAT_C_sharp
Author:malwquinn
Rule name:NET
Author:malware-lu
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments