discordrat | 379449b8c2d0053cea2aa786cf2ad6e3cd61e67793ac5b68be77358360b0ce42 | Triage

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 23:04

Sharing

Report Analysis Logs

General

Target

ocean.exe
Size

78KB
MD5

5b4483e4d0d5d3c245509d44f6ede105
SHA1

7f55b3ff41fa5a810e44d74b79f5bf3953882707
SHA256

379449b8c2d0053cea2aa786cf2ad6e3cd61e67793ac5b68be77358360b0ce42
SHA512

14066a18f5439efc767cecd347b658679ba39fc7135bcbe6f3c731ceb38ce614788015391df1ed2fcdda9233d2a655156126d298e94d7479ccfb99028fb2012a
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+vPIC:5Zv5PDwbjNrmAE+XIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIwNDEwODc0MjM5Njg3MDczNw.Gw9Kyr.z1zBnV1wCUwvnB-hn8vkxiW22uEX8O5oY4F9Qk
server_id
1204106853043273729

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1960	1252	ocean.exe	28
PID 1252 wrote to memory of 1960	1252	ocean.exe	28
PID 1252 wrote to memory of 1960	1252	ocean.exe	28

C:\Users\Admin\AppData\Local\Temp\ocean.exe
"C:\Users\Admin\AppData\Local\Temp\ocean.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1252 -s 596
  2⤵
  PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1252-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/1252-1-0x000000013F780000-0x000000013F798000-memory.dmp

Filesize
96KB

Download
memory/1252-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1252-3-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download