discordrat | 8ea2d2e46ea334e7f908b36fbc95191ab86fbaa0186e6bce5b7d52e2396cc789 | Triage

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
10-06-2024 16:34

Sharing

Report Analysis Logs

General

Target

swift.exe
Size

78KB
MD5

319e084ef0d7ea9ecebcccc50f2bc054
SHA1

a5cfce63565b1be1c5aceafe7d5e82e7aead06d7
SHA256

8ea2d2e46ea334e7f908b36fbc95191ab86fbaa0186e6bce5b7d52e2396cc789
SHA512

02e466419964a953fcc9bf0e8d992583fd6e508987bac5a3e957efef0dc7946725ef8e04822518428bfd9b42edb617274b54232c4bf7a072bebe8820767a1af3
SSDEEP

1536:W2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+VPI8:WZv5PDwbjNrmAE+FI8

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0OTY1NTAzOTcxOTY0MTEwOA.Gab4bV.cX5u0GePqaXBehuHah6EF8g8zrkw-DhNAE__wQ
server_id
1249657445706371173

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2384	1276	swift.exe	28
PID 1276 wrote to memory of 2384	1276	swift.exe	28
PID 1276 wrote to memory of 2384	1276	swift.exe	28

C:\Users\Admin\AppData\Local\Temp\swift.exe
"C:\Users\Admin\AppData\Local\Temp\swift.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1276 -s 596
  2⤵
  PID:2384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/1276-1-0x000000013F0E0000-0x000000013F0F8000-memory.dmp

Filesize
96KB

Download
memory/1276-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1276-3-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download