discordrat | 56b13321c915aff2eab83aa707194ab42f8ff8e59bcb305a51a41ab89344b016

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 13:21

Target

Clientbuilt.exe
Size

78KB
MD5

750fdf2a326c6db022bc41d9d8902b59
SHA1

072cdc8d086316129dc5228d66e4c7b401513c5f
SHA256

56b13321c915aff2eab83aa707194ab42f8ff8e59bcb305a51a41ab89344b016
SHA512

cded66eb7c75b262c183d6d459cd19dbb602574cddcea69107001e11a0c9258ec708710513a2a9692dc3101d59ac8cb14d1aa43bb21681ad3c3318e2666aafbb
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+EPIC:5Zv5PDwbjNrmAE+YIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI2ODk2NDIwNTMzMjAwOTA4MQ.G2VQO3.rLYaZ6YXS_2cD32yjU_EpC30Zspp6IkmC0MMuU
server_id
1283852429145804882

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1148	1880	Clientbuilt.exe	30
PID 1880 wrote to memory of 1148	1880	Clientbuilt.exe	30
PID 1880 wrote to memory of 1148	1880	Clientbuilt.exe	30

C:\Users\Admin\AppData\Local\Temp\Clientbuilt.exe
"C:\Users\Admin\AppData\Local\Temp\Clientbuilt.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1880 -s 596
  2⤵
  PID:1148

memory/1880-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1880-1-0x000000013FF60000-0x000000013FF78000-memory.dmp

Filesize
96KB

Download
memory/1880-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-3-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

Filesize
4KB

Download
memory/1880-4-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

Filesize
9.9MB

Download