discordrat | d0edb846b44e046fee8fea55dba1160e988ccfc947cf51fbb2803ded90268d19 | Triage

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 02:19

Sharing

Report Analysis Logs

General

Target

RobloxPlayer.exe
Size

78KB
MD5

8f3d0d4044ff8cc1d847687568c91e14
SHA1

fd9049e0e5c074603b78a2aea228b75e4ce6c099
SHA256

1c7ffa12df8fc6b0617ddd3e7bf89582154156c803ca2b2df7a6073d43e13dc0
SHA512

afd8aa0948e588de2bb7d44687afccd5da52e613a06a26bbec862945a3cd1a80423b2e1929256bce23e92bac5b09f27e436c1223583d4507c6782da3d46760e4
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+cPIC:5Zv5PDwbjNrmAE+QIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxNTQyMjc0OTk4ODg4NDU3Mg.G8QiY3.e2k047pCmhPxBH-tdaOfxVTB1BY3dSfZIT_sXY
server_id
1201970766531530822

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

RobloxPlayer.exe

description	pid	process	target process
PID 1444 wrote to memory of 2376	1444	RobloxPlayer.exe	WerFault.exe
PID 1444 wrote to memory of 2376	1444	RobloxPlayer.exe	WerFault.exe
PID 1444 wrote to memory of 2376	1444	RobloxPlayer.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1444 -s 596
  2⤵
  PID:2376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download
memory/1444-1-0x000000013F110000-0x000000013F128000-memory.dmp

Filesize
96KB

Download
memory/1444-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/1444-3-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

Filesize
4KB

Download