discordrat | d6c4395f0ae44000bacfd6e32934f039172d50b88f800e91632aa28224e49062

Analysis

max time kernel
142s
max time network
142s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rc7 Remake V4.0.3.exe
Size

1.8MB
MD5

e9fe08dc305ecef9d3e30387b7606449
SHA1

36bf2ff5ea70c0b39b2d130769aea4b335881217
SHA256

de659081e783bdc5529dcf792033da79266d4749368d1de30089bf8d39635ec9
SHA512

17f7d01ea90db97b4632339c17d8f0188bd7879ce2825c67b1f33036d882ac5da1294a77cf00613fbd92da3a78f116b01bcfbe59c162487720d4258140eb4cac
SSDEEP

24576:13rpuCfwthkMlFwF6OMJStMWxvS4HyQaHRt1qgKhrE7mgJW:RpuGw39lFGMJSIOyNHr6um/

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTEzODUwOTU4NDY5NzQwOTYwNw.GnqcvS.rCX2N6w-7YZE2LAuqXgNbKNTXYvV_RvO9gYEzQ
server_id
1138506428089368657

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 3 IoCs

pid	Process
2596	dll.exe
2796	ExploitBuilder.exe
2708	26d0d.exe

Loads dropped DLL 8 IoCs

pid	Process
2972	Rc7 Remake V4.0.3.exe
2972	Rc7 Remake V4.0.3.exe
2972	Rc7 Remake V4.0.3.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe
568	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
568	2708	WerFault.exe	31

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2596	2972	Rc7 Remake V4.0.3.exe	29
PID 2972 wrote to memory of 2596	2972	Rc7 Remake V4.0.3.exe	29
PID 2972 wrote to memory of 2596	2972	Rc7 Remake V4.0.3.exe	29
PID 2972 wrote to memory of 2596	2972	Rc7 Remake V4.0.3.exe	29
PID 2972 wrote to memory of 2796	2972	Rc7 Remake V4.0.3.exe	30
PID 2972 wrote to memory of 2796	2972	Rc7 Remake V4.0.3.exe	30
PID 2972 wrote to memory of 2796	2972	Rc7 Remake V4.0.3.exe	30
PID 2972 wrote to memory of 2796	2972	Rc7 Remake V4.0.3.exe	30
PID 2796 wrote to memory of 2708	2796	ExploitBuilder.exe	31
PID 2796 wrote to memory of 2708	2796	ExploitBuilder.exe	31
PID 2796 wrote to memory of 2708	2796	ExploitBuilder.exe	31
PID 2796 wrote to memory of 2708	2796	ExploitBuilder.exe	31
PID 2708 wrote to memory of 568	2708	26d0d.exe	32
PID 2708 wrote to memory of 568	2708	26d0d.exe	32
PID 2708 wrote to memory of 568	2708	26d0d.exe	32
PID 2708 wrote to memory of 568	2708	26d0d.exe	32

C:\Users\Admin\AppData\Local\Temp\Rc7 Remake V4.0.3.exe
"C:\Users\Admin\AppData\Local\Temp\Rc7 Remake V4.0.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\dll.exe
  "C:\Users\Admin\AppData\Local\Temp\dll.exe"
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\ExploitBuilder.exe
  "C:\Users\Admin\AppData\Local\Temp\ExploitBuilder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\26d0d.exe
    C:\Users\Admin\AppData\Local\Temp\26d0d.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 688
      4⤵
      Loads dropped DLL
      Program crash
      PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExploitBuilder.exe

Filesize
823KB

MD5
9b15b83b221ab41cf691613bb635b635

SHA1
69616dfa1a8e27b45bfbaca809a248fd1bb734e6

SHA256
470bd5725ecd1d7ef1165b22eb627a833e1442ed0caca6109d34b93691e6e72f

SHA512
2688597e292393fa3c1ca4ed930da78fce650d61be7161e511acb053f487202c1b5036f8159a54b7c897916e79ed1b60c2cab58d7d14f198b6dd150752d1efd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExploitBuilder.exe

Filesize
823KB

MD5
9b15b83b221ab41cf691613bb635b635

SHA1
69616dfa1a8e27b45bfbaca809a248fd1bb734e6

SHA256
470bd5725ecd1d7ef1165b22eb627a833e1442ed0caca6109d34b93691e6e72f

SHA512
2688597e292393fa3c1ca4ed930da78fce650d61be7161e511acb053f487202c1b5036f8159a54b7c897916e79ed1b60c2cab58d7d14f198b6dd150752d1efd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExploitBuilder.exe

Filesize
823KB

MD5
9b15b83b221ab41cf691613bb635b635

SHA1
69616dfa1a8e27b45bfbaca809a248fd1bb734e6

SHA256
470bd5725ecd1d7ef1165b22eb627a833e1442ed0caca6109d34b93691e6e72f

SHA512
2688597e292393fa3c1ca4ed930da78fce650d61be7161e511acb053f487202c1b5036f8159a54b7c897916e79ed1b60c2cab58d7d14f198b6dd150752d1efd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
1.0MB

MD5
4ae52cae7044da6688e77e675b4b5556

SHA1
e02d28a8716cb958e5a58eae91cbc2c740f16438

SHA256
4e674fe01f97520ac70113ce0888b7342fe24af8026307a4add5abd6914570df

SHA512
29bc5e27fe76b2e2f68ad7035f29c8f2ff1c8d15d7e0614c229a51ececeed3f79e54bfda08ee1e24d3dad6bb9611a7e43f492223b5f2665f4f7eba1a6be563d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
1.0MB

MD5
4ae52cae7044da6688e77e675b4b5556

SHA1
e02d28a8716cb958e5a58eae91cbc2c740f16438

SHA256
4e674fe01f97520ac70113ce0888b7342fe24af8026307a4add5abd6914570df

SHA512
29bc5e27fe76b2e2f68ad7035f29c8f2ff1c8d15d7e0614c229a51ececeed3f79e54bfda08ee1e24d3dad6bb9611a7e43f492223b5f2665f4f7eba1a6be563d8

Download Submit
\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
\Users\Admin\AppData\Local\Temp\26d0d.exe

Filesize
555KB

MD5
24d889e520c895a413a25a31f32fe9b4

SHA1
8b9268749e71c845824830fa84bf5cdb79c727d1

SHA256
abe1547dd985e1172ba52d35be4d6505291ccc9fa1fb007eda6f2d8504380219

SHA512
f860b8cb3cf8da3372806a0cb5f02d6d848759e33ff93c68359f9016ce6899d9e1f4a0c4b74a99abe6145f7489ba2a8f3b38fa91cc3d2d53bc18e540d0d7efdb

Download Submit
\Users\Admin\AppData\Local\Temp\ExploitBuilder.exe

Filesize
823KB

MD5
9b15b83b221ab41cf691613bb635b635

SHA1
69616dfa1a8e27b45bfbaca809a248fd1bb734e6

SHA256
470bd5725ecd1d7ef1165b22eb627a833e1442ed0caca6109d34b93691e6e72f

SHA512
2688597e292393fa3c1ca4ed930da78fce650d61be7161e511acb053f487202c1b5036f8159a54b7c897916e79ed1b60c2cab58d7d14f198b6dd150752d1efd2

Download Submit
\Users\Admin\AppData\Local\Temp\ExploitBuilder.exe

Filesize
823KB

MD5
9b15b83b221ab41cf691613bb635b635

SHA1
69616dfa1a8e27b45bfbaca809a248fd1bb734e6

SHA256
470bd5725ecd1d7ef1165b22eb627a833e1442ed0caca6109d34b93691e6e72f

SHA512
2688597e292393fa3c1ca4ed930da78fce650d61be7161e511acb053f487202c1b5036f8159a54b7c897916e79ed1b60c2cab58d7d14f198b6dd150752d1efd2

Download Submit
\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
1.0MB

MD5
4ae52cae7044da6688e77e675b4b5556

SHA1
e02d28a8716cb958e5a58eae91cbc2c740f16438

SHA256
4e674fe01f97520ac70113ce0888b7342fe24af8026307a4add5abd6914570df

SHA512
29bc5e27fe76b2e2f68ad7035f29c8f2ff1c8d15d7e0614c229a51ececeed3f79e54bfda08ee1e24d3dad6bb9611a7e43f492223b5f2665f4f7eba1a6be563d8

Download Submit
memory/2596-33-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/2596-24-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-41-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/2596-39-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/2596-27-0x0000000000FB0000-0x00000000010BE000-memory.dmp

Filesize
1.1MB

Download
memory/2596-28-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-34-0x0000000000810000-0x0000000000850000-memory.dmp

Filesize
256KB

Download
memory/2708-32-0x0000000001F70000-0x0000000001FC8000-memory.dmp

Filesize
352KB

Download
memory/2708-26-0x00000000002A0000-0x0000000000332000-memory.dmp

Filesize
584KB

Download
memory/2708-25-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-29-0x00000000740D0000-0x00000000747BE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-31-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2708-30-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2796-22-0x000000013FCC0000-0x000000013FD2C000-memory.dmp

Filesize
432KB

Download