discordrat | d6b2fc515713b8c80e13cfcc95360690f37ac10195501a9a29b643c5a24db8d4 | Triage

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 14:22

Sharing

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

3fa3a056ee826c171b5a028d686a6f89
SHA1

624bb8dfc93d71f6a4b87a3cce263a90f2a11333
SHA256

d6b2fc515713b8c80e13cfcc95360690f37ac10195501a9a29b643c5a24db8d4
SHA512

8371d1fcb7bf9f600862ce184fb0fd7a7672de1408875a1feea54fa0f958a2e4815e0a76d82216c9c3c5dc6559b18aafcf217bf7284453a415f17c0bba17fa65
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+zPIC:5Zv5PDwbjNrmAE+rIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NDI1MTUyMjcwODAxNzIyMw.GhERZu.UAZ3F1H9B1qIDlzhtwUMLkp769_M5FCa7m9dR4
server_id
1253923425735675915

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 1324	2632	Client-built.exe	31
PID 2632 wrote to memory of 1324	2632	Client-built.exe	31
PID 2632 wrote to memory of 1324	2632	Client-built.exe	31

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2632 -s 596
  2⤵
  PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2632-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x000000013F6F0000-0x000000013F708000-memory.dmp

Filesize
96KB

Download
memory/2632-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download