discordrat | 0d12c936747a895675c12ae53af28352bc8a1c6fdec16aa4abf35499e5c86b94

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 05:05

Target

Run.exe
Size

78KB
MD5

af4b2ac80f5f1cdf5b67fb87918fa8f6
SHA1

2d9a85401738144e01000a11d5ad16534dd7703a
SHA256

0d12c936747a895675c12ae53af28352bc8a1c6fdec16aa4abf35499e5c86b94
SHA512

6f9e4c481ac8678e14ce38b61c5108efade109a03b39330018bd7d3deb9a562abd89bce8ec0a60ec7ee5da592e9158f88d5a7b805997d3515b9e3d2797c2c59e
SSDEEP

1536:P2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+VPIu:PZv5PDwbjNrmAE+FIu

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI4OTA4NDQ4NjAxNzA5MzY1Mg.GU9sth.3N0tTy7lqu3KMV6HV1In6GWJPFUNSX5TtpGqBs
server_id
1289039707686178857

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2396	2568	Run.exe	30
PID 2568 wrote to memory of 2396	2568	Run.exe	30
PID 2568 wrote to memory of 2396	2568	Run.exe	30

C:\Users\Admin\AppData\Local\Temp\Run.exe
"C:\Users\Admin\AppData\Local\Temp\Run.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2568 -s 596
  2⤵
  PID:2396

memory/2568-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2568-1-0x000000013F950000-0x000000013F968000-memory.dmp

Filesize
96KB

Download
memory/2568-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2568-3-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2568-4-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download