discordrat | 402d83a67acf9591aaf8dc4e62dcafc4dd10f3987cb7a175f0c288de77a86ad7

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/03/2024, 14:24

Target

PyrusC2.exe
Size

78KB
MD5

27f969d17693c222cdd0494cb2a09f80
SHA1

d5425670f1d1d40fb04a2a1c72dc7572a748a67a
SHA256

402d83a67acf9591aaf8dc4e62dcafc4dd10f3987cb7a175f0c288de77a86ad7
SHA512

33e8e65940074c84f24697ee6cc2654289419f02ca481033bf3c369f26fe4f16c3990a822fe0842f3feb2febe4cb8c57d8e3d1acc63d4c560e54ebe0806a42df
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+xPIC:5Zv5PDwbjNrmAE+hIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTIxMzUwMTgyMzQxMTgyMjYzMg.G_3rn-.hlmdq27ziRAcKVZvZ9b7woSeSyqsovKDo0qouc
server_id
1200522482130632846

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3016	2232	PyrusC2.exe	28
PID 2232 wrote to memory of 3016	2232	PyrusC2.exe	28
PID 2232 wrote to memory of 3016	2232	PyrusC2.exe	28

C:\Users\Admin\AppData\Local\Temp\PyrusC2.exe
"C:\Users\Admin\AppData\Local\Temp\PyrusC2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2232 -s 596
  2⤵
  PID:3016

memory/2232-0-0x000000013F9A0000-0x000000013F9B8000-memory.dmp

Filesize
96KB

Download
memory/2232-1-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-2-0x000000001BA30000-0x000000001BAB0000-memory.dmp

Filesize
512KB

Download
memory/2232-3-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-4-0x000000001BA30000-0x000000001BAB0000-memory.dmp

Filesize
512KB

Download