discordrat | d56a1643d296616d07291a85c65b5af1189c3f7ac5197534556a168e20c326a4 | Triage

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 15:55

Sharing

Report Analysis Logs

General

Target

loader.exe
Size

78KB
MD5

0fe5eef86f55a197b86a758915f11059
SHA1

2eff191d8f447d999d427fd825a266ab7a0b358e
SHA256

d56a1643d296616d07291a85c65b5af1189c3f7ac5197534556a168e20c326a4
SHA512

7b657babe30b904f48559d5597501dee92b61cc70955008a1007a9e480ddc9cca5d4b2ff1d1ffabc095dfb13478e307519a9f4a276a4bf45eb6b42abf409b23f
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+aPIC:5Zv5PDwbjNrmAE+GIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0MjA5MzEzMDI2NjgzNzA0Mw.GPiHV0.xzmGeKlEDKXpKijmlwzstJzxgKPWKJkSa-fjRA
server_id
1242093566004822039

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

loader.exe

description	pid	process	target process
PID 2280 wrote to memory of 2976	2280	loader.exe	WerFault.exe
PID 2280 wrote to memory of 2976	2280	loader.exe	WerFault.exe
PID 2280 wrote to memory of 2976	2280	loader.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2280 -s 596
2⤵
PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2280-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x000000013FF30000-0x000000013FF48000-memory.dmp

Filesize
96KB

Download
memory/2280-2-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download