discordrat | f4a63b7b747369289369ada5ba8961af3b5898f9aee1760455255d97e19015f3

Analysis

max time kernel
1563s
max time network
1563s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 22:11

Target

MW3PRO00.exe
Size

78KB
MD5

cbf27dcba2ef0fa998c38384a22d6cba
SHA1

5a644d1f39cd64e40d663264d1a9de9218cd1302
SHA256

f4a63b7b747369289369ada5ba8961af3b5898f9aee1760455255d97e19015f3
SHA512

d89bf4ae3b715fb079eac95d908344f1c51e8542a5e82ef75611018c78866f2ff5662a7c099d24616fba008f79108f5d15552f8fb2b1437543038ad5555626b6
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+OPIC:5Zv5PDwbjNrmAE+qIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI1MTgyMzAxNzUyNTI1MjEyNg.Gq9elm.EfhMIc-eCeEBcZ97uoRa_T1KAXKFQmgIerhsCg
server_id
1267742928692973691

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 2220	1056	MW3PRO00.exe	28
PID 1056 wrote to memory of 2220	1056	MW3PRO00.exe	28
PID 1056 wrote to memory of 2220	1056	MW3PRO00.exe	28

C:\Users\Admin\AppData\Local\Temp\MW3PRO00.exe
"C:\Users\Admin\AppData\Local\Temp\MW3PRO00.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1056 -s 596
  2⤵
  PID:2220

memory/1056-0-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp

Filesize
4KB

Download
memory/1056-1-0x000000013F9D0000-0x000000013F9E8000-memory.dmp

Filesize
96KB

Download
memory/1056-2-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download
memory/1056-3-0x000007FEF54A3000-0x000007FEF54A4000-memory.dmp

Filesize
4KB

Download
memory/1056-4-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

Filesize
9.9MB

Download