discordrat | fc2efd8bc73e8194e6ffd0b08e2a07d5436678ec8fa117376454e12e7d5a7ecc

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 13:25

Target

solaraV8.exe
Size

78KB
MD5

4dbaa7f4cab6e1c9053ec5a30d057a63
SHA1

84dee1923f3d65f106d6b6b41e2a90895d444c99
SHA256

fc2efd8bc73e8194e6ffd0b08e2a07d5436678ec8fa117376454e12e7d5a7ecc
SHA512

454b4742f8267984dd801ab254f0b13e170de250b95ec0cf80095b8ac56fa627c4b9d34c60cd5215797fd6afd4e65265dc676e94ad4858333df1aad1165c3ca2
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+JPIC:5Zv5PDwbjNrmAE+5IC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI4MzQ3NTY3MzkxODM0NTIyOA.GwQZAy.dzNxoLSQrrHQ7kQ84QzgXcXwQVIiFgky0-vXwk
server_id
1037097190742560768

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2832	1504	solaraV8.exe	30
PID 1504 wrote to memory of 2832	1504	solaraV8.exe	30
PID 1504 wrote to memory of 2832	1504	solaraV8.exe	30

C:\Users\Admin\AppData\Local\Temp\solaraV8.exe
"C:\Users\Admin\AppData\Local\Temp\solaraV8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1504 -s 596
  2⤵
  PID:2832

memory/1504-0-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

Filesize
4KB

Download
memory/1504-1-0x000000013F930000-0x000000013F948000-memory.dmp

Filesize
96KB

Download
memory/1504-2-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download
memory/1504-3-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

Filesize
4KB

Download
memory/1504-4-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download