discordrat | 97998ce8ee1eb61773da4dd3480ac0573821233cef969b8b81c192600fa790e3 | Triage

Analysis

max time kernel
55s
max time network
16s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
18-05-2024 09:19

Sharing

Report Analysis Logs

General

Target

SolaraBETA.exe
Size

164KB
MD5

4b2fde25d144813486401114b5b1465a
SHA1

5002bea91d465c2054b4d9c00da8d57bdef2cd8a
SHA256

97998ce8ee1eb61773da4dd3480ac0573821233cef969b8b81c192600fa790e3
SHA512

f861dbc704ecc6cb3e22e2a48397d4ff86ac50f04a79c863de7285c54a9f85279bdc62db11b75f70a27282fb0eae9b67625b2301e975a5a9ff5eaf68eb4de566
SSDEEP

3072:2Zv5PDwbjNrmAE+ZIjLdGgCvZuT75lTT3MJObhH:Wv5PDwbBr9IjLdvm27wJON

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIyODAzODA0Nzg2MjM2MjE4Mg.GeZ9Dk.99HQJjlOmDT6HLrABe4Y4tFyXqPaQdWTb6lSvI
server_id
1234555349349040179

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2980	620	SolaraBETA.exe	28
PID 620 wrote to memory of 2980	620	SolaraBETA.exe	28
PID 620 wrote to memory of 2980	620	SolaraBETA.exe	28

C:\Users\Admin\AppData\Local\Temp\SolaraBETA.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBETA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 620 -s 596
  2⤵
  PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/620-1-0x000000013F040000-0x000000013F06C000-memory.dmp

Filesize
176KB

Download
memory/620-2-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/620-3-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download