discordrat | 1a3072f72b2747d1bbe6f8aec7945d7753c061cd02ab1a1632963d13ba9e61bd | Triage

Analysis

max time kernel
2280s
max time network
2280s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 19:12

Sharing

Report Analysis Logs

General

Target

lock image.exe
Size

78KB
MD5

eb574fb1d907ffd85ce1854f5585d67a
SHA1

6b72bc26e0f282010c1c1e5589e130d250d28bb5
SHA256

1a3072f72b2747d1bbe6f8aec7945d7753c061cd02ab1a1632963d13ba9e61bd
SHA512

0df1476ff05cc2c34e9c84ac4ba7760c233755f8a9f031ac33241aab71cfc1fbba20344b1403620c7f7695360d30ab124cf3557bff4730bd10f8f8b71a580c6f
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+EPIC:5Zv5PDwbjNrmAE+YIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMTA5OTM2NzcyMTc5NTYzNA.GqkwcX.UOjwiFdGIpv_jY2sOCDo02zExIyfhOxTIiOv6c
server_id
1251241660453752944

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 2428	1180	lock image.exe	28
PID 1180 wrote to memory of 2428	1180	lock image.exe	28
PID 1180 wrote to memory of 2428	1180	lock image.exe	28

C:\Users\Admin\AppData\Local\Temp\lock image.exe
"C:\Users\Admin\AppData\Local\Temp\lock image.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1180 -s 596
  2⤵
  PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1180-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/1180-1-0x000000013FB90000-0x000000013FBA8000-memory.dmp

Filesize
96KB

Download
memory/1180-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-3-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download