discordrat | 49b263d4ed23515700cbae48b96e39fe024c6e24563682b352d9beebe17d99fa

Analysis

max time kernel
21s
max time network
16s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bypasser/bypasser_final.exe
Size

135KB
MD5

a1288b1ec6fb4da4f55dc8fd53a6c4ce
SHA1

bead8a51b0c34f981a4b278681f63f3b88f9ad54
SHA256

f7dd8d7d380e311b86e9fb2d61b63eb212e70f5e8e51acdbf47a1dd4ed051891
SHA512

2fa5aa3a0d4daaa57854a9045a12b7e01a0f9864924cde12935646b25f172c787b120bdaac65be85ebe442476c2c1f45b51b737ddbbd2579cf6416e65ab038a2
SSDEEP

1536:2vdWSVRVDlOzjRzrksAOO2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPICsov:2MSncRzAOOZv5PDwbjNrmAE+ZICsov

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MTMwNDM5NDkzNTUwNTA4Nw.GXLWWL.r7OUns0sCMr5I9ra_FffjxEK2E7LukBojfJIT8
server_id
1256804931839459358

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Executes dropped EXE 1 IoCs

Processes:

CLIENT-BUILT.EXE

pid process

2724 CLIENT-BUILT.EXE
Loads dropped DLL 6 IoCs

Processes:

bypasser_final.exeWerFault.exe

pid process

3036 bypasser_final.exe
2524 WerFault.exe
2524 WerFault.exe
2524 WerFault.exe
2524 WerFault.exe
2524 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2724	CLIENT-BUILT.EXE

pid	process
3036	bypasser_final.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe
2524	WerFault.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

bypasser_final.exeCLIENT-BUILT.EXE

description	pid	process	target process
PID 3036 wrote to memory of 2724	3036	bypasser_final.exe	CLIENT-BUILT.EXE
PID 3036 wrote to memory of 2724	3036	bypasser_final.exe	CLIENT-BUILT.EXE
PID 3036 wrote to memory of 2724	3036	bypasser_final.exe	CLIENT-BUILT.EXE
PID 3036 wrote to memory of 2724	3036	bypasser_final.exe	CLIENT-BUILT.EXE
PID 2724 wrote to memory of 2524	2724	CLIENT-BUILT.EXE	WerFault.exe
PID 2724 wrote to memory of 2524	2724	CLIENT-BUILT.EXE	WerFault.exe
PID 2724 wrote to memory of 2524	2724	CLIENT-BUILT.EXE	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bypasser\bypasser_final.exe
"C:\Users\Admin\AppData\Local\Temp\bypasser\bypasser_final.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
"C:\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2724 -s 600
3⤵
- Loads dropped DLL
PID:2524

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CLIENT-BUILT.EXE
Filesize
78KB

MD5
a654392da078edaa1e15edf5037892af

SHA1
7e46cf31017813ef3965ee4b0b4dc1cb8467eaf5

SHA256
e8c4b3c1bf31627789ae496bda5014524cc6304c2f0b31f592cb4ce82703269c

SHA512
3caf159430d00b513cfe2c1221f39643f00b018c0af7952c9a3c0fee43c9aacf3b0c55846ef137c66fa6c8c5c9b007d3f87c013d1de61811da22a9ad7d66d9dc

Download Submit
memory/2724-7-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/2724-8-0x000000013FBD0000-0x000000013FBE8000-memory.dmp

Filesize
96KB

Download
memory/2724-13-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-15-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download