discordrat | 67ca292f8d356dbdb6491c5cf97b6807645d6074892fb607996861b59c47257b | Triage

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 21:57

Sharing

Report Analysis Logs

General

Target

rat.exe
Size

78KB
MD5

dc18a7ef56487ce1fc5f4c7fa16e0565
SHA1

c91069fb09d9140c49b5cdce2b135389f28d2870
SHA256

67ca292f8d356dbdb6491c5cf97b6807645d6074892fb607996861b59c47257b
SHA512

8c258efae7d560a1eb02805cec9deadbb45c7d3f1e01e784fd995a4cae8c60844de14790f62d6e8a52b3ff1b8efe6bb67fe5ce2d2b6c946149d27630a9685729
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+SPIC:5Zv5PDwbjNrmAE+eIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwOTk3NzM4OTc4Njk5MjY4MA.Gfr0fN.D7pshuUwEJ1YJgUOZvgF8ETIhPETQc3pmSjFpo
server_id
1210986041553461278

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2132	2112	rat.exe	28
PID 2112 wrote to memory of 2132	2112	rat.exe	28
PID 2112 wrote to memory of 2132	2112	rat.exe	28

C:\Users\Admin\AppData\Local\Temp\rat.exe
"C:\Users\Admin\AppData\Local\Temp\rat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2112 -s 600
  2⤵
  PID:2132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-0-0x000000013FE70000-0x000000013FE88000-memory.dmp

Filesize
96KB

Download
memory/2112-1-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-2-0x000000001BB30000-0x000000001BBB0000-memory.dmp

Filesize
512KB

Download
memory/2112-3-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download