discordrat | e7fca4daafc29ccd460e69ab01d630844509562f8e94ee3d60dd20557d8b6551 | Triage

Analysis

max time kernel
1s
max time network
1s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 10:46

Sharing

Report Analysis Logs

General

Target

2FA BYPASS-V -3.0.exe
Size

263KB
MD5

f7ee184d9dfa88e54ffb8cc6c6fb6b9f
SHA1

6d61a3c783228964c9354424b6cff5589eaf1fa8
SHA256

e7fca4daafc29ccd460e69ab01d630844509562f8e94ee3d60dd20557d8b6551
SHA512

063ff2f744cd2293f4a55639de99b519bdbad03ef7a26a3d26ccff4819902e22931d7481ea4244816060aaac0c9a04e1b54bd09b411a94bd9ae35e0736a389df
SSDEEP

3072:FZv5PDwbjNrmAE+lI+9/jXBxmoGZPov4T2CJHKHfC5r6m:rv5PDwbBr5IG7xxmoaww6CdfU

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwMDAyNzUxMjczMDgzMjk5Ng.GNxPdN.mmAj4OKTCRvwfQo1E7s8bpCk0tDwxGtO3p0Jtc
server_id
1200027337987723316

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2352	2864	2FA BYPASS-V -3.0.exe	28
PID 2864 wrote to memory of 2352	2864	2FA BYPASS-V -3.0.exe	28
PID 2864 wrote to memory of 2352	2864	2FA BYPASS-V -3.0.exe	28

C:\Users\Admin\AppData\Local\Temp\2FA BYPASS-V -3.0.exe
"C:\Users\Admin\AppData\Local\Temp\2FA BYPASS-V -3.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2864 -s 596
  2⤵
  PID:2352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2864-0-0x000000013F070000-0x000000013F0B6000-memory.dmp

Filesize
280KB

Download
memory/2864-1-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-2-0x000000001BD30000-0x000000001BDB0000-memory.dmp

Filesize
512KB

Download