discordrat | aa01ef386dab50bcc769f7493d5ab6992fdc1d161053f2ed304f915343e5aa51 | Triage

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/10/2024, 09:29

Sharing

Report Analysis Logs

General

Target

Bigger.exe
Size

78KB
MD5

9061e914758e87df60035dd4d6cdedfa
SHA1

4bbba2467f63a9ae8df829c5f93cd95c2e9e0a64
SHA256

aa01ef386dab50bcc769f7493d5ab6992fdc1d161053f2ed304f915343e5aa51
SHA512

3dcc43ba4b9c3b420a5de02d31c88d1e2f80f0874d891e1581df6222f0b2e6b2cc6a405cf56eef549272cf6c164b4d1979ed09e42a60c2f4a4d06353988a1106
SSDEEP

1536:+2WjO8XeEXFZ5P7v88wbjNrfxCXhRoKV6+V+6PIC:+ZX5PDwbjNrmAE+mIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MjQxNDg3MTgyODMwMzkxMw.GuvGW5.TE4E5oQ4YSm2U7C9NE3085VtuodT3cYqYArySU1292414671114211401
server_id
1292414671114211401

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2652	2480	Bigger.exe	31
PID 2480 wrote to memory of 2652	2480	Bigger.exe	31
PID 2480 wrote to memory of 2652	2480	Bigger.exe	31

C:\Users\Admin\AppData\Local\Temp\Bigger.exe
"C:\Users\Admin\AppData\Local\Temp\Bigger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2480 -s 596
  2⤵
  PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/2480-1-0x000000013FDE0000-0x000000013FDF8000-memory.dmp

Filesize
96KB

Download
memory/2480-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/2480-3-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download