discordrat | 111b13e86437a1715726c97a4cdca943c31d8eb7ce555d16e533ce6a730bd5c5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 05:31

Target

PasteLoader.exe
Size

78KB
MD5

cd6bf9256b0458097209c5a619139ac5
SHA1

d3573dcce7406e16420ba901be06b519c6b6e88e
SHA256

111b13e86437a1715726c97a4cdca943c31d8eb7ce555d16e533ce6a730bd5c5
SHA512

01bf9c0df4cfd631200b68067c4becea373b2d74ce809fefd6549d24db7fde11cb6e83b8f0f3704b84554d16267eb7f2de92a8a3c5af912746211231da6b46e2
SSDEEP

1536:wIQOI8S4zTMHFEOEGZefHeKrIX8amErwbjNrB+uexCroKV6+fd6:wIq8S4nMLeGKrIX8amcwbjNrB+xSd6

Score

10^/10

Family

discordrat

Attributes

discord_token
MTEzODk3NzE0NzIzMTQyNDUxMg.GLN9Vx.uY2JaATZMA6ZxDffSmpo3K467bAT1_uBeq8ZsI
server_id
1258562412324585592

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

PasteLoader.exe

description	pid	process	target process
PID 2580 wrote to memory of 1804	2580	PasteLoader.exe	WerFault.exe
PID 2580 wrote to memory of 1804	2580	PasteLoader.exe	WerFault.exe
PID 2580 wrote to memory of 1804	2580	PasteLoader.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\PasteLoader.exe
"C:\Users\Admin\AppData\Local\Temp\PasteLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2580 -s 596
2⤵
PID:1804

memory/2580-0-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x000000013F6D0000-0x000000013F6E8000-memory.dmp

Filesize
96KB

Download
memory/2580-2-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/2580-3-0x000007FEF50E3000-0x000007FEF50E4000-memory.dmp

Filesize
4KB

Download
memory/2580-4-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download