discordrat | 9297e053593230a1ffe610b08cc5a15e2bb09b7fe597943c999619ae998afbd8

Analysis

max time kernel
17s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 11:25

Target

AutoUpdater.exe
Size

78KB
MD5

4ef3988d23c0e3cb6c4a5948c7865ce3
SHA1

77a0b7cb980982bddd1bbf920c4acd918b417d7a
SHA256

9297e053593230a1ffe610b08cc5a15e2bb09b7fe597943c999619ae998afbd8
SHA512

d7dd7f6752beac6913158765fa24536f6563562250493e0e1db7b465524d29a80fe907dbc4524e47f261a18c5db45dff4844f5ec0496e0daf0c7a5a57869e0ed
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+wPIC:5Zv5PDwbjNrmAE+0IC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI3NTA4NTE4NzQ3Mzk5NzgyNQ.GO-AzQ.aCF8rAvj4Zl8ivypcz_3OksP199rQqiwhyHWfI
server_id
1275087276753293383

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2224	2524	AutoUpdater.exe	29
PID 2524 wrote to memory of 2224	2524	AutoUpdater.exe	29
PID 2524 wrote to memory of 2224	2524	AutoUpdater.exe	29

C:\Users\Admin\AppData\Local\Temp\AutoUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\AutoUpdater.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2524 -s 604
  2⤵
  PID:2224

memory/2524-0-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x000000013F140000-0x000000013F158000-memory.dmp

Filesize
96KB

Download
memory/2524-2-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download
memory/2524-3-0x000007FEF56E3000-0x000007FEF56E4000-memory.dmp

Filesize
4KB

Download
memory/2524-4-0x000007FEF56E0000-0x000007FEF60CC000-memory.dmp

Filesize
9.9MB

Download