discordrat | 84b7efd2c244173234ba7208bf38d432462fa958b40ceefedff524f089b6e208 | Triage

Analysis

max time kernel
0s
max time network
0s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 22:54

Sharing

Report Analysis Logs

General

Target

Spoofer/Hardware Spoofer.exe
Size

78KB
MD5

ef0e02648400217a2439479006ea078e
SHA1

59227c31761b27f1c5dab07c6ea6228946339ce3
SHA256

9515c899651eb0f87902193c595ca7babd947ed36ce0f8c9515f41e6a4b2890b
SHA512

46e4bce6d53d7845f6e3dd3a16e35797c5c4dcee453d21f967b7188b3b1218363b5a6b0a1ad460cf2a35a3114afa7c72858e3efc98fb2035d7191d1cda1af7bc
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+EPIC:5Zv5PDwbjNrmAE+YIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTExODY1MTM0MDY5MjkzMDU4MA.GyYPbd.gv_mSClOMYmZ_EMjVhy1iGJpGBV4mylJ_ARxXk
server_id
1118654792068251759

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2132	1640	Hardware Spoofer.exe	30
PID 1640 wrote to memory of 2132	1640	Hardware Spoofer.exe	30
PID 1640 wrote to memory of 2132	1640	Hardware Spoofer.exe	30

C:\Users\Admin\AppData\Local\Temp\Spoofer\Hardware Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofer\Hardware Spoofer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1640 -s 596
  2⤵
  PID:2132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-0-0x000007FEF5793000-0x000007FEF5794000-memory.dmp

Filesize
4KB

Download
memory/1640-1-0x000000013F980000-0x000000013F998000-memory.dmp

Filesize
96KB

Download
memory/1640-2-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download