discordrat | 516d03ab0a8b9c86aac53483bdce0aaedce1747ad41687fe649360beb3e690e8

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 01:53

Target

A.exe
Size

78KB
MD5

942c8c3f505851e1e3c29b995fc4c668
SHA1

7be02f8d1fbbf816f83efc2a36504475332352a6
SHA256

516d03ab0a8b9c86aac53483bdce0aaedce1747ad41687fe649360beb3e690e8
SHA512

c12d78469bd6e3c7134547f810636c6c7278a17f1e7425ba4c1d9a0b4d6017b4be6e93997a495878c7441374dea4b3c487d573baef69d20cad9f65579f411883
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+xPIC:5Zv5PDwbjNrmAE+hIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI1MTM5NDU2MTkzMTA4Nzk2Ng.GVpTiC.aG6daNWB3ZKdyNM0l8rdBK1DppjVAtp5jSZd5E
server_id
1251216160561696778

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

A.exe

description	pid	process	target process
PID 2956 wrote to memory of 2880	2956	A.exe	WerFault.exe
PID 2956 wrote to memory of 2880	2956	A.exe	WerFault.exe
PID 2956 wrote to memory of 2880	2956	A.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\A.exe
"C:\Users\Admin\AppData\Local\Temp\A.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2956 -s 596
2⤵
PID:2880

memory/2956-0-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

Filesize
4KB

Download
memory/2956-1-0x000000013FEF0000-0x000000013FF08000-memory.dmp

Filesize
96KB

Download
memory/2956-2-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-3-0x000007FEF5E83000-0x000007FEF5E84000-memory.dmp

Filesize
4KB

Download
memory/2956-4-0x000007FEF5E80000-0x000007FEF686C000-memory.dmp

Filesize
9.9MB

Download