discordrat | fe70a77db520220cfb325f54030820a0300eed7e21eb6594d9ed6077409d5dc4 | Triage

Analysis

max time kernel
4s
max time network
5s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-03-2024 19:23

Sharing

Report Analysis Logs

General

Target

751f76k.exe
Size

78KB
MD5

47c4da32d747f78b58d8d91017053740
SHA1

94d9ad77f8f93418e02fca7d9648b3752fc15637
SHA256

fe70a77db520220cfb325f54030820a0300eed7e21eb6594d9ed6077409d5dc4
SHA512

df1d190be4395eb43310abf34954c92b8e0746684ef89ca0dc2dd24307261354f0adcf85f5cef1d364ceb40358c0e28f9aa1275b6111bf88f37e19a93a5ef376
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+XPIC:5Zv5PDwbjNrmAE+fIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxODMxODU5MzAzMzUwNjk4Nw.G2aMyP.sYexWKzMYxMEBrfbE1aN2soA-mP6cIs0IUamu0
server_id
1215369598061379594

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2228	1152	751f76k.exe	28
PID 1152 wrote to memory of 2228	1152	751f76k.exe	28
PID 1152 wrote to memory of 2228	1152	751f76k.exe	28

C:\Users\Admin\AppData\Local\Temp\751f76k.exe
"C:\Users\Admin\AppData\Local\Temp\751f76k.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1152 -s 600
  2⤵
  PID:2228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-0-0x000000013F7E0000-0x000000013F7F8000-memory.dmp

Filesize
96KB

Download
memory/1152-1-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download
memory/1152-2-0x0000000000590000-0x0000000000610000-memory.dmp

Filesize
512KB

Download
memory/1152-3-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmp

Filesize
9.9MB

Download