discordrat | 4c8339c4f86b67e16c8840e953771bae4c13395e3ed512a15564be948275e39a

Analysis

max time kernel
361s
max time network
365s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-02-2024 20:36

Target

MentarLossUpdate.exe
Size

78KB
MD5

2e007e2d8f5ca6a1f57562573798b65c
SHA1

08e58cc517f07a15df237dad8b0c883a75dc69a8
SHA256

4c8339c4f86b67e16c8840e953771bae4c13395e3ed512a15564be948275e39a
SHA512

815f555000a88b7e10ffff924205bac051ed2276b795cf7697d90ca95d3a48867e016c79b7964cf1f66d9da7919e5f83c4a4c13693c335e0f52b9469e610bc52
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTIxMjIyMTExOTEwOTc5MTg0NA.GSxPDa.WoIS-Jic_avy2czubqMhJTApb7-gSDPlpVayIY
server_id
1212208594473197568

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2032	1284	MentarLossUpdate.exe	28
PID 1284 wrote to memory of 2032	1284	MentarLossUpdate.exe	28
PID 1284 wrote to memory of 2032	1284	MentarLossUpdate.exe	28

C:\Users\Admin\AppData\Local\Temp\MentarLossUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\MentarLossUpdate.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1284 -s 600
  2⤵
  PID:2032

memory/1284-0-0x000000013FB20000-0x000000013FB38000-memory.dmp

Filesize
96KB

Download
memory/1284-1-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1284-2-0x000000001BC00000-0x000000001BC80000-memory.dmp

Filesize
512KB

Download
memory/1284-3-0x000007FEF5780000-0x000007FEF616C000-memory.dmp

Filesize
9.9MB

Download
memory/1284-4-0x000000001BC00000-0x000000001BC80000-memory.dmp

Filesize
512KB

Download