discordrat | fb20124a565035509bfe77f7969e6b6481af6e084c1f779eafefacb3238838b9 | Triage

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 22:15

Sharing

Report Analysis Logs

General

Target

RAT.exe
Size

78KB
MD5

fbf3aac78be63f4c9cac42c5065e841d
SHA1

ef1ef9f1c4582740ddbbb0ae931729d28f9cddcf
SHA256

fb20124a565035509bfe77f7969e6b6481af6e084c1f779eafefacb3238838b9
SHA512

5384fbe4d98eb58784a50161a06439f0b0d8842a39980d84d51b87c9da420ea0d400d9595a9e55083499813d583bbdcf17f04202df43a39318fc0f9cbde3531a
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+mPIC:5Zv5PDwbjNrmAE+CIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MDY5Njg4MTA1MTYwMzA3NA.Gk0pb5.gw1UrxfVboadUu1780jASHItFkwsOrCVl0hucM
server_id
1237869398321139852

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

RAT.exe

description	pid	process	target process
PID 1688 wrote to memory of 2384	1688	RAT.exe	WerFault.exe
PID 1688 wrote to memory of 2384	1688	RAT.exe	WerFault.exe
PID 1688 wrote to memory of 2384	1688	RAT.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RAT.exe
"C:\Users\Admin\AppData\Local\Temp\RAT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1688 -s 596
2⤵
PID:2384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-0-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp

Filesize
4KB

Download
memory/1688-1-0x000000013FCE0000-0x000000013FCF8000-memory.dmp

Filesize
96KB

Download
memory/1688-2-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp

Filesize
9.9MB

Download
memory/1688-3-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp

Filesize
4KB

Download