discordrat | 52de440336e507aa5f83da2891db30fec93b9ca8938f94f4230d6edc28c34196

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 05:45

Target

Solara.exe
Size

78KB
MD5

13438d39f46bb3aa301c3841ece7ebb2
SHA1

73df2ebdfc99630055ac30fe4ad1c716df8b94e8
SHA256

52de440336e507aa5f83da2891db30fec93b9ca8938f94f4230d6edc28c34196
SHA512

af5ca9e6d20bcfd1e46b6b5c528a40a46a7ebb91a05ce47e374d62ebd848aaec80e913cec0b530289c557f2fd5cd552d2f6298535a85e9701c83b02d2b20988a
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+kPIC:5Zv5PDwbjNrmAE+4IC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI4MjAzOTg1NjcyMTI5NzQwOA.G8Jemc.2Yo596vgm4EHrrszWksvp4dTlfBVdqyG77PAmg
server_id
1127201631080030318

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1732	1048	Solara.exe	29
PID 1048 wrote to memory of 1732	1048	Solara.exe	29
PID 1048 wrote to memory of 1732	1048	Solara.exe	29

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1048 -s 596
  2⤵
  PID:1732

memory/1048-0-0x000007FEF6013000-0x000007FEF6014000-memory.dmp

Filesize
4KB

Download
memory/1048-1-0x000000013F130000-0x000000013F148000-memory.dmp

Filesize
96KB

Download
memory/1048-2-0x000007FEF6010000-0x000007FEF69FC000-memory.dmp

Filesize
9.9MB

Download
memory/1048-3-0x000007FEF6013000-0x000007FEF6014000-memory.dmp

Filesize
4KB

Download
memory/1048-4-0x000007FEF6010000-0x000007FEF69FC000-memory.dmp

Filesize
9.9MB

Download