discordrat | aca13de69b970f10357414fc04b9d424e3ec91d46c48dcf23244309e6994de24 | Triage

Analysis

max time kernel
7s
max time network
0s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 23:11

Sharing

Report Analysis Logs

General

Target

HackerTool.exe
Size

78KB
MD5

700cbe7842075702ba7a814135377cba
SHA1

afc4dae81fdcd51e6cfba4df93b95473019db51d
SHA256

aca13de69b970f10357414fc04b9d424e3ec91d46c48dcf23244309e6994de24
SHA512

1a364f96ee78c3e83ec4a9e9a88d070a67fa55cbc4f3e2e5a99f2c4f5d933abee9f98f5537d56159a57771d82e78a19a1b14e1a52002d2420783cfafde59de11
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+LPIC:5Zv5PDwbjNrmAE+jIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Nzk1NzI4ODU0MzUyMjk0OA.GIpluZ.fDKYKipS9PVq4yhIAizQmTyDwK5kQQ8ux_PrHQ
server_id
1257954812113190942

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 3032	1680	HackerTool.exe	28
PID 1680 wrote to memory of 3032	1680	HackerTool.exe	28
PID 1680 wrote to memory of 3032	1680	HackerTool.exe	28

C:\Users\Admin\AppData\Local\Temp\HackerTool.exe
"C:\Users\Admin\AppData\Local\Temp\HackerTool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1680 -s 596
  2⤵
  PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-0-0x000007FEF51F3000-0x000007FEF51F4000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x000000013F830000-0x000000013F848000-memory.dmp

Filesize
96KB

Download
memory/1680-2-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download
memory/1680-3-0x000007FEF51F0000-0x000007FEF5BDC000-memory.dmp

Filesize
9.9MB

Download