discordrat | b7dc70f04ee701b25d575ed8237baaf214d97e579aa47a13b839633218568b08

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-05-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rampuri‮gpj.exe
Size

501KB
MD5

aa4a62721037855489902b7d4d0fe68c
SHA1

b6ebde37fd59baafde5462e6c9423cde8e3d080d
SHA256

b7dc70f04ee701b25d575ed8237baaf214d97e579aa47a13b839633218568b08
SHA512

84d6994520799b861bf545d9d06a64a2b9219a3a1e2fb3bc2359b950781c2a11c58304974f4cbedf1d4985299f82956f2350588a2d64d1839b1d204b5c06f3f0
SSDEEP

12288:9CQjgAtAHM+vetZxF5EWry8AJGy0yGhSTzAsWpB09:95ZWs+OZVEWry8AFBuEfWk9

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzODQ5ODc4MjE5NTQ4MjY5NA.GkSDpb.jG1gPk_g1LnlBEHlMGwUcQd-U1qCjeaJbc2Bn8
server_id
1238500915263176714

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2696	happy.exe

Loads dropped DLL 6 IoCs

pid	Process
2252	rampuri‮gpj.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe
2412	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2696	2252	rampuri‮gpj.exe	28
PID 2252 wrote to memory of 2696	2252	rampuri‮gpj.exe	28
PID 2252 wrote to memory of 2696	2252	rampuri‮gpj.exe	28
PID 2696 wrote to memory of 2412	2696	happy.exe	29
PID 2696 wrote to memory of 2412	2696	happy.exe	29
PID 2696 wrote to memory of 2412	2696	happy.exe	29

C:\Users\Admin\AppData\Local\Temp\rampuri‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\rampuri‮gpj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\happy.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\happy.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2696 -s 596
    3⤵
    - Loads dropped DLL
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\happy.exe

Filesize
78KB

MD5
857991068fdee984d91e65364486abdf

SHA1
0171505ce0aa4cb4d632f6a99bae7f3e782ba9db

SHA256
ba6ce51642372234055c224fa92a28fb4c46f3dd767e6dc0c8e38500ea002f73

SHA512
5fba1948c2fe8b5b7b27781fc7fb2b518a0f2521dcc3f06930b1d42887c9a0db26a477ddb15ff6725b5949696163cca23d8cda452cb1758d9a441e1d288545e6

Download Submit
memory/2252-2-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2252-17-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2696-9-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2696-10-0x000000013FDE0000-0x000000013FDF8000-memory.dmp

Filesize
96KB

Download
memory/2696-15-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-18-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2696-19-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2696-20-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download