discordrat | 574c5d147be871088a39dcf2dc54bf123f74da56ed2a44613e8e643e2d247ac0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 15:32

Target

InstallerV5.exe
Size

78KB
MD5

b61d469cf77f2dd30e1ef31acba14fc3
SHA1

e1931cb1d20128df56ddfff69f84c5c1ed2975a7
SHA256

574c5d147be871088a39dcf2dc54bf123f74da56ed2a44613e8e643e2d247ac0
SHA512

bfee99acb08c57615d6bae9eee7bc331eecc82fee81fa09469fe7e891779cfda34860aacba77baa8c15482141169d366713ed4d6108990d4f553ac0734e256b1
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+K8PIC:5Zv5PDwbjNrmAE+KwIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI1Nzc5NzM0ODg0Mzg0Nzc1MQ.Gt4uVY.fwQ0zxAA0tWa6W71KN3mXkRSbFGrwOcaXRwFhU
server_id
1257772717743276134

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

InstallerV5.exe

description	pid	process	target process
PID 2632 wrote to memory of 2516	2632	InstallerV5.exe	WerFault.exe
PID 2632 wrote to memory of 2516	2632	InstallerV5.exe	WerFault.exe
PID 2632 wrote to memory of 2516	2632	InstallerV5.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\InstallerV5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallerV5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2632 -s 596
2⤵
PID:2516

memory/2632-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x000000013F7C0000-0x000000013F7D8000-memory.dmp

Filesize
96KB

Download
memory/2632-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/2632-3-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2632-4-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download