discordrat | 3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-03-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe
Size

400KB
MD5

469bdecc5986331657af133343af539b
SHA1

aa3ec8039bf48439b515345c82b48d5294814dd9
SHA256

3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32
SHA512

b668743f2a6c427ca64944d7c0a458d10931030388956141338fdc3ce0d1e6b5055b22180e2ac7937bdc637ba596d8927a8665263fb40915d27ec914dfca5e89
SSDEEP

6144:0TouKrWBEu3/Z2lpGDHU3ykJgCpKGgBdUhcX7elbKTuka/NIC:0ToPWBv/cpGrU3yZC6Bd3X3ukuNR

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyMTM3MDg0ODExMjU0MTcxNg.GYDtRI.F5HqgY6x5q5G9a0__txWfS7z09vzxp4I2qZdtY
server_id
1221371233510232085

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
3040	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
3036	3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 3040	3036	3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe	28
PID 3036 wrote to memory of 3040	3036	3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe	28
PID 3036 wrote to memory of 3040	3036	3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe	28
PID 3036 wrote to memory of 3040	3036	3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe	28
PID 3040 wrote to memory of 1448	3040	Client-built.exe	29
PID 3040 wrote to memory of 1448	3040	Client-built.exe	29
PID 3040 wrote to memory of 1448	3040	Client-built.exe	29

C:\Users\Admin\AppData\Local\Temp\3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe
"C:\Users\Admin\AppData\Local\Temp\3ccf4235af2207382b30205413c01115b451e71c707deab22c289fb419797a32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3040 -s 600
    3⤵
    - Loads dropped DLL
    PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
2a15e9b895f72c5cfdf809b193cad041

SHA1
fb10997427a449e5d92f76f95cdb17f81aa42e34

SHA256
dfda053c3a8fbe1aaba0ca93a4eb79182af6517d4ad3daf1b03b165077584908

SHA512
b8171857e9cb1414721f9fba584d28f20d22c2d6c335bccbfb1cb19c6ecc00e148965b263f99db248f2f33e3c180c8a7b181886cc3a3b8b2c9bf33838652db3b

Download Submit
memory/3040-8-0x000000013F6E0000-0x000000013F6F8000-memory.dmp

Filesize
96KB

Download
memory/3040-9-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/3040-10-0x000000001BD50000-0x000000001BDD0000-memory.dmp

Filesize
512KB

Download
memory/3040-16-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download