discordrat | 7d272cff38b3532e158d804c4ddf38869f03b38da851a4d72abe594a288c700a | Triage

Analysis

max time kernel
27s
max time network
19s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 18:31

Sharing

Report Analysis Logs

General

Target

loader.exe
Size

78KB
MD5

abb3589671f52a88b8e47f98c1249253
SHA1

f4a49bd9ffa15000e532e2fae5c1cb958f5e5d86
SHA256

7d272cff38b3532e158d804c4ddf38869f03b38da851a4d72abe594a288c700a
SHA512

3a54eed4e807c500137b6ff6e8baf8303d4fe5eca62b20ae0e969e0d8cd95e337c50d63d3b0d68e392709a5fac5f66b01849aa4cec0e1918e547b1de830f2d4f
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+IPIC:5Zv5PDwbjNrmAE+MIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwOTU1Mjg4MTkzODg2NjE4Nw.G9235T.g81DCm6yldFma1yTDAEFxsayb5LIKUgfWw8Mbw
server_id
1200522482130632846

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2052	2660	loader.exe	28
PID 2660 wrote to memory of 2052	2660	loader.exe	28
PID 2660 wrote to memory of 2052	2660	loader.exe	28

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2660 -s 596
  2⤵
  PID:2052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2660-0-0x000000013FF50000-0x000000013FF68000-memory.dmp

Filesize
96KB

Download
memory/2660-1-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-2-0x0000000000540000-0x00000000005C0000-memory.dmp

Filesize
512KB

Download
memory/2660-3-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download