discordrat | e69f87dbc38e0ec07e5c6f7952e43325a38e9197d9522092f3746c3dd9a21e43

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Steam.exe
Size

522KB
MD5

8ebac9696933022b805e9ac4b384d1da
SHA1

a18168613e61a82d361902f25507ccd3d7387123
SHA256

e69f87dbc38e0ec07e5c6f7952e43325a38e9197d9522092f3746c3dd9a21e43
SHA512

a34e6fd7014574727adaf9c99e0d8504e9416ec7c97273e617318df58d5ee6c0b9d67f1d52888a5d9c5bd1c82146a80142a4d0be5f75ad5adf62c12254fa0747
SSDEEP

12288:ByveQB/fTHIGaPkKEYzURNA/bAg8T9ooF7qp9:BuDXTIGaPhEYzUzATqRoPp9

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIzOTc1OTAwMDUyMjk4NTU2Mg.Gh30TZ.Kt1WtrwmuOFPcZGqK_yXxmaFsDK5TpEaOCP4mA
server_id
1239434854953648229

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
1620	test.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	Steam.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1620	2504	Steam.exe	30
PID 2504 wrote to memory of 1620	2504	Steam.exe	30
PID 2504 wrote to memory of 1620	2504	Steam.exe	30
PID 1620 wrote to memory of 2264	1620	test.exe	31
PID 1620 wrote to memory of 2264	1620	test.exe	31
PID 1620 wrote to memory of 2264	1620	test.exe	31

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1620 -s 600
    3⤵
    - Loads dropped DLL
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.exe

Filesize
78KB

MD5
eb4b07423aac59368f66654b70613f72

SHA1
81aaa9dcc8a80573b4b60a2ea59f336fc5203dd1

SHA256
dbdea6feb5a5be9a97ffbd107de33b602421c469f0c6522aa8acec71d0346b5b

SHA512
173df9d8d947520e40591c8fc216fadfdb63062297dab7052cb1503cc3961c96a718eab5fb81edb629a47988ccb72227dd18fccc6a65f52657b69c8bf4cb2652

Download Submit
memory/1620-10-0x000007FEF67B3000-0x000007FEF67B4000-memory.dmp

Filesize
4KB

Download
memory/1620-11-0x000000013FF40000-0x000000013FF58000-memory.dmp

Filesize
96KB

Download
memory/1620-16-0x000007FEF67B0000-0x000007FEF719C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-18-0x000007FEF67B3000-0x000007FEF67B4000-memory.dmp

Filesize
4KB

Download
memory/1620-19-0x000007FEF67B0000-0x000007FEF719C000-memory.dmp

Filesize
9.9MB

Download