discordrat | bf67e494234fdd6c09ddccb2aa749d24a8592afd8f19e22c468037f3d4324b87

Analysis

max time kernel
359s
max time network
359s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 17:02

Target

svc host.exe
Size

78KB
MD5

65790c6a67fd9c12531ea1ee6a7524a4
SHA1

5e4406616c0fd81320fcfcb51aa80d6e31e32ee0
SHA256

bf67e494234fdd6c09ddccb2aa749d24a8592afd8f19e22c468037f3d4324b87
SHA512

f3c227a95b7875f69bdd4997c62dd0196b63abef70241795cd53850784264b53a500992248c7b29b7a04dc0fdf5c17635f070654d792be2f4d500454ccfc0e63
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTIxNzg3OTI5NjU4MDkxNTMzMA.GIlQhI.96QyXzzXA0ZJl0UCPrmpfwDpnCu4AIzPesmSAQ
server_id
1217879157267234846

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1460	2112	svc host.exe	28
PID 2112 wrote to memory of 1460	2112	svc host.exe	28
PID 2112 wrote to memory of 1460	2112	svc host.exe	28

C:\Users\Admin\AppData\Local\Temp\svc host.exe
"C:\Users\Admin\AppData\Local\Temp\svc host.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2112 -s 596
  2⤵
  PID:1460

memory/2112-0-0x000000013FB40000-0x000000013FB58000-memory.dmp

Filesize
96KB

Download
memory/2112-1-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-2-0x000000001BA50000-0x000000001BAD0000-memory.dmp

Filesize
512KB

Download
memory/2112-3-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-4-0x000000001BA50000-0x000000001BAD0000-memory.dmp

Filesize
512KB

Download