discordrat | 8babcf505f2bf387850280c73ba6e2b3cd950b0383047841ac109f479a288c6e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ScaryKart.exe
Size

551KB
MD5

eb08107e08a2536292902db8cc97d722
SHA1

ec62cc7d5a90db160195f473495ec9e5c102d60b
SHA256

8babcf505f2bf387850280c73ba6e2b3cd950b0383047841ac109f479a288c6e
SHA512

89999cfa54fa033b6e03b7b407ee296cb7b7fd9e834e55210c83085b934e7b07f063bfb359fa7e84563e7473fbd4dca4e1c09f44163aca0e9dad337a2fb66f12
SSDEEP

12288:5hqxSLo5C1Ps4XhitX+t4983sMbK93vC2Td6FtJ/TL:5HLmCiIhiX483vC+mtJv

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1MzI3OTgwMTIzODg4MDI4OQ.GRYisY.MCX3PxYFEDjNe8KMtaXisef9H7jEZywLNsHvs0
server_id
1253280184275173377

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
1960	Test.exe

Loads dropped DLL 6 IoCs

pid	Process
2064	ScaryKart.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe
2356	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1960	2064	ScaryKart.exe	31
PID 2064 wrote to memory of 1960	2064	ScaryKart.exe	31
PID 2064 wrote to memory of 1960	2064	ScaryKart.exe	31
PID 2064 wrote to memory of 1960	2064	ScaryKart.exe	31
PID 1960 wrote to memory of 2356	1960	Test.exe	32
PID 1960 wrote to memory of 2356	1960	Test.exe	32
PID 1960 wrote to memory of 2356	1960	Test.exe	32

C:\Users\Admin\AppData\Local\Temp\ScaryKart.exe
"C:\Users\Admin\AppData\Local\Temp\ScaryKart.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Test.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1960 -s 596
    3⤵
    - Loads dropped DLL
    PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Test.exe

Filesize
78KB

MD5
f90a42773820e56ce58d67e7f4509954

SHA1
c0db25be44be20089e438a81d12812af5107bf31

SHA256
08a2eba2ab9395856f1d0dfd30e21c0a86e3acac63eb72d685ff4af9230c0377

SHA512
11b4b20c3f4503e6b05a6a8c53619574e244241f8544036f8a00feadcf83daac478d4f7e8cc736af4603d7957f007713167f7ea6118dbddd33608830ab6924a6

Download Submit
memory/1960-10-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/1960-11-0x000000013FFA0000-0x000000013FFB8000-memory.dmp

Filesize
96KB

Download
memory/1960-16-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download
memory/1960-18-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp

Filesize
4KB

Download
memory/1960-19-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp

Filesize
9.9MB

Download