discordrat | 96fbd1bfcb40f835dcffb407da07ec9187fd9610be7e9964079fae21c3c7e8f1

Analysis

max time kernel
1440s
max time network
1446s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 22:09

Target

MW3PRO0.exe
Size

78KB
MD5

682dc2f44a5ade056306a241914646fc
SHA1

13b7b423e3a338311ded14f3bcd87c24589bdd80
SHA256

96fbd1bfcb40f835dcffb407da07ec9187fd9610be7e9964079fae21c3c7e8f1
SHA512

208c303decd469a4e0743f79f0d13550e2d6c986e164461541821d8870d2174b7b352f2ea5cffefd18c895c10de8775df228286d5f06697a3d48da1f748a55dd
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+9PIC:5Zv5PDwbjNrmAE+tIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTEyOTg5MjIxNzU5OTgyMzk4Mw.GnWnte.vyhNeWc4uW-fNQNN6fLlu3GI805VkSgmANbczg
server_id
1267742928692973691

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1664	2796	MW3PRO0.exe	29
PID 2796 wrote to memory of 1664	2796	MW3PRO0.exe	29
PID 2796 wrote to memory of 1664	2796	MW3PRO0.exe	29

C:\Users\Admin\AppData\Local\Temp\MW3PRO0.exe
"C:\Users\Admin\AppData\Local\Temp\MW3PRO0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2796 -s 600
  2⤵
  PID:1664

memory/2796-0-0x000007FEF5643000-0x000007FEF5644000-memory.dmp

Filesize
4KB

Download
memory/2796-1-0x000000013FF90000-0x000000013FFA8000-memory.dmp

Filesize
96KB

Download
memory/2796-2-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-3-0x000007FEF5643000-0x000007FEF5644000-memory.dmp

Filesize
4KB

Download
memory/2796-4-0x000007FEF5640000-0x000007FEF602C000-memory.dmp

Filesize
9.9MB

Download