discordrat | b93dd87ea81dc8163e221a5bf8bccb449745dd5771b97c6fbf28331cd24dcd02 | Triage

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 06:22

Sharing

Report Analysis Logs

General

Target

A-Something.exe
Size

78KB
MD5

8e3df8f3ff44cc7683d41a093dbcee31
SHA1

3d164477a3a630a9b8111ae3b4dd15abceeb4ab9
SHA256

b93dd87ea81dc8163e221a5bf8bccb449745dd5771b97c6fbf28331cd24dcd02
SHA512

4a95601c38d68a8e3e3e1cbef5a6a7b20c71d1e2d92272662d2dd756fb08e6c8f175f5c5a2653c68ec4a62eb54ac3df3038038700273bfee94b90ef709784d7c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+8mPIC:5Zv5PDwbjNrmAE+8CIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI3MTE4MjI1MzkzMzk4OTk0OA.GaNFei.KG7WFkOh-jzYvEL__GMB5FM3ucNnLjV7rH6BXU
server_id
1272942145543864340

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2036	3040	A-Something.exe	29
PID 3040 wrote to memory of 2036	3040	A-Something.exe	29
PID 3040 wrote to memory of 2036	3040	A-Something.exe	29

C:\Users\Admin\AppData\Local\Temp\A-Something.exe
"C:\Users\Admin\AppData\Local\Temp\A-Something.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3040 -s 600
  2⤵
  PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/3040-1-0x000000013F060000-0x000000013F078000-memory.dmp

Filesize
96KB

Download
memory/3040-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/3040-3-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download