discordrat | 9b95f80b5f60b8aa81b6cc05c0c0383beaaa5ce30db24fde25c690981eba42e5 | Triage

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 14:48

Sharing

Report Analysis Logs

General

Target

SolaraV5.exe
Size

78KB
MD5

82cf6c8eddde1f23d69d8e9ca2bc0269
SHA1

d8c234fd8a7a5995920b844426a6f018042a4725
SHA256

9b95f80b5f60b8aa81b6cc05c0c0383beaaa5ce30db24fde25c690981eba42e5
SHA512

1e1cf0d713c9686b6bbbe8fbdb5f3505c635a828da00edafe96bf41ab123c6baf21f9eb84979551c7ecb5847edfc19a1bc916ed8111bc1f63ccb25ee34b5eb4c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+CPIC:5Zv5PDwbjNrmAE+uIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjI1NDgyNjk0NjQ5NDU2NA.GrRfKA.YsB7hsHUpHvZirYbIIQmXvx4R6FyivCliyluhA
server_id
1256254741638418442

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1224	2164	SolaraV5.exe	28
PID 2164 wrote to memory of 1224	2164	SolaraV5.exe	28
PID 2164 wrote to memory of 1224	2164	SolaraV5.exe	28

C:\Users\Admin\AppData\Local\Temp\SolaraV5.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraV5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2164 -s 596
  2⤵
  PID:1224

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

Filesize
4KB

Download
memory/2164-1-0x000000013F520000-0x000000013F538000-memory.dmp

Filesize
96KB

Download
memory/2164-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-3-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

Filesize
4KB

Download