discordrat | 5158789deb8fbc8bce3eebd181700a542e621285993476277701bb1f32f407d0

Analysis

max time kernel
46s
max time network
16s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 11:32

Target

PlayStoreCards.exe
Size

78KB
MD5

49197adeae5d8f1b029468677ea6a576
SHA1

43a37a05a3205b934dd075d3917c74c391316bae
SHA256

5158789deb8fbc8bce3eebd181700a542e621285993476277701bb1f32f407d0
SHA512

a88beab75c0cd6c6a79115d400b1590fd9bfd226e6db0fd1cf3fc09051b1f8f011c496d88e2799f45ec040930747756db814688b08151e7f0a01e8677bd96388
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+JPIC:5Zv5PDwbjNrmAE+5IC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTIzMTk3MDk2MzI2OTM1MzUwMw.GiJGkJ.TOJdfCVypu97RYsKzbXu-4Mm-E5hXhMyA4I36c
server_id
1231989894444744734

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 1612	3024	PlayStoreCards.exe	28
PID 3024 wrote to memory of 1612	3024	PlayStoreCards.exe	28
PID 3024 wrote to memory of 1612	3024	PlayStoreCards.exe	28

C:\Users\Admin\AppData\Local\Temp\PlayStoreCards.exe
"C:\Users\Admin\AppData\Local\Temp\PlayStoreCards.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3024 -s 596
  2⤵
  PID:1612

memory/3024-0-0x000000013F3D0000-0x000000013F3E8000-memory.dmp

Filesize
96KB

Download
memory/3024-1-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-2-0x000000001BB20000-0x000000001BBA0000-memory.dmp

Filesize
512KB

Download
memory/3024-3-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/3024-4-0x000000001BB20000-0x000000001BBA0000-memory.dmp

Filesize
512KB

Download