discordrat | d0452f63e207ead4ba0828fba9cd46d54c08906ac3f35f1c0b27dda2d60fbc83

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

solarabootstraper.exe
Size

497KB
MD5

48258af1b1134dffa388c6f2590325c3
SHA1

e2fa6a4351d7b358e6b20e9194b63b54751458d4
SHA256

d0452f63e207ead4ba0828fba9cd46d54c08906ac3f35f1c0b27dda2d60fbc83
SHA512

1eeceefb8843f72b55e1b517039ab53cd72af3bb294fe9b06ce0a6207749506bf299cd913a4a1088ffa002069821d346ec3fc045fa701014110beec03d7d208c
SSDEEP

12288:4yveQB/fTHIGaPkKEYzURNA/bAgzfCxS6PZXOB4:4uDXTIGaPhEYzUzAT4SwZXv

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzOTEzMTk4MTc4NzI5OTkxMg.G2PouQ.rmLVRC29c13dyUDlcJhFL4MtNpJCMM3OTOmuyI
server_id
1254334525543288912

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2736	test.exe

Loads dropped DLL 6 IoCs

pid	Process
2336	solarabootstraper.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2736	2336	solarabootstraper.exe	29
PID 2336 wrote to memory of 2736	2336	solarabootstraper.exe	29
PID 2336 wrote to memory of 2736	2336	solarabootstraper.exe	29
PID 2736 wrote to memory of 2720	2736	test.exe	30
PID 2736 wrote to memory of 2720	2736	test.exe	30
PID 2736 wrote to memory of 2720	2736	test.exe	30

C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe
"C:\Users\Admin\AppData\Local\Temp\solarabootstraper.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2736 -s 596
    3⤵
    - Loads dropped DLL
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe

Filesize
78KB

MD5
cd0398fb5a04ce43be2b1183e7dfad06

SHA1
e1e9ac1f1f2533f3bfec802cae2cbeeeac65c181

SHA256
c4fb94399b109d19585a03233be7663000aae8c7c7f8661ce744c59bfa8ced08

SHA512
50bfd2614078082fd83e43e61a36b086eae0fec2399fae5655c6442a474ffb7c25cabe43b4c484c85acc4fac72c2f2613dc00e85045242dfcdd91093519699bc

Download Submit
memory/2336-4-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2736-11-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2736-12-0x000000013F8B0000-0x000000013F8C8000-memory.dmp

Filesize
96KB

Download
memory/2736-17-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-19-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2736-20-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download