discordrat | b60ac43357d7a64db54b6056e62504e79f05508d0f66d22020653758b0107a47

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 19:45

Target

executor.exe
Size

78KB
MD5

e1494c0e764cba65e9f4587d66fe0aa7
SHA1

9b4d1e845f50f401743848a4482c7612833aa679
SHA256

a5eb869393a0ec941ae9bb25f817004cf668ed4cb563189af9b4e976acc91d8a
SHA512

129aadf5d7df8835d82fa73b039de621798ab2d34ade3983ea7745555fc56c3ed4a01f03767804f000d73ea1c87a82fa4224794fbb554d5d31d403ffb3f77465
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+LPIC:5Zv5PDwbjNrmAE+jIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI1NjYyNDkzOTk3MzQ4MDYzOA.GT32M_.lhjiOtBbZnAqoOopUAFURemzfI_gNk6usA4kPk
server_id
1258096867728818177

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2880	2844	executor.exe	30
PID 2844 wrote to memory of 2880	2844	executor.exe	30
PID 2844 wrote to memory of 2880	2844	executor.exe	30

C:\Users\Admin\AppData\Local\Temp\executor.exe
"C:\Users\Admin\AppData\Local\Temp\executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2844 -s 596
  2⤵
  PID:2880

memory/2844-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

Filesize
4KB

Download
memory/2844-1-0x000000013F2F0000-0x000000013F308000-memory.dmp

Filesize
96KB

Download
memory/2844-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download
memory/2844-3-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

Filesize
4KB

Download
memory/2844-4-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

Filesize
9.9MB

Download