discordrat | 2ad64e8dfd8a9799ed6a456fa784d1884164eedcea268c910e72fe543891cef2

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 17:32

Target

RvcUserInterFace.exe
Size

78KB
MD5

a93e4c430ad89942f59d9634116ea5c4
SHA1

9dd1419ca927a5e95e380f60693223b5fffbe89a
SHA256

2ad64e8dfd8a9799ed6a456fa784d1884164eedcea268c910e72fe543891cef2
SHA512

4d8420f7558f18be70544e8190b7e75f461c5401e8f1302e08431807232a10f821ebef7c318e8613aff37e7b739fb9a670903ae775a186dddcc82435b3ed0f59
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTE4NTI0NTc2NjExNDEwMzM1Nw.Gat4VC.1CnS9_cPhmJgKcEV43-EZxZET1Cj3kAzip89cM
server_id
1178376627995037726

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2140	2072	RvcUserInterFace.exe	30
PID 2072 wrote to memory of 2140	2072	RvcUserInterFace.exe	30
PID 2072 wrote to memory of 2140	2072	RvcUserInterFace.exe	30

C:\Users\Admin\AppData\Local\Temp\RvcUserInterFace.exe
"C:\Users\Admin\AppData\Local\Temp\RvcUserInterFace.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2072 -s 600
  2⤵
  PID:2140

memory/2072-0-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2072-1-0x000000013FC30000-0x000000013FC48000-memory.dmp

Filesize
96KB

Download
memory/2072-2-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-3-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2072-4-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download