discordrat | 71db60d88dc44bd9cccadd4f453677d22f630b39c8df60dd5c963029abd9d28e | Triage

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 19:20

Sharing

Report Analysis Logs

General

Target

MultiReportV2.exe
Size

78KB
MD5

615e27bbbd17c412275f7eeee8068045
SHA1

7821f9879427a768e11e0b3b8ca1c3bdf1672e03
SHA256

71db60d88dc44bd9cccadd4f453677d22f630b39c8df60dd5c963029abd9d28e
SHA512

692010fe4317aabdc0793bd24214ee84415b9d89449fecf1d92f054250d9298998db999fb173daf94c1ef106ae33c864391b37ea2d0fc69ad4c448583d025254
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+qPIC:5Zv5PDwbjNrmAE+2IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI2MzM1MTI5MTI1NDUzODI3MQ.GHJbQu.aVoP-1ysFiiieVx91DVEu5VSbH1T5KTqIvcUg4
server_id
1263835750579830847

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

MultiReportV2.exe

description	pid	process	target process
PID 1952 wrote to memory of 2688	1952	MultiReportV2.exe	WerFault.exe
PID 1952 wrote to memory of 2688	1952	MultiReportV2.exe	WerFault.exe
PID 1952 wrote to memory of 2688	1952	MultiReportV2.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\MultiReportV2.exe
"C:\Users\Admin\AppData\Local\Temp\MultiReportV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1952 -s 600
2⤵
PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1952-0-0x000007FEF6203000-0x000007FEF6204000-memory.dmp

Filesize
4KB

Download
memory/1952-1-0x000000013F0E0000-0x000000013F0F8000-memory.dmp

Filesize
96KB

Download
memory/1952-2-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-3-0x000007FEF6200000-0x000007FEF6BEC000-memory.dmp

Filesize
9.9MB

Download