discordrat | 41183a1d0ecdf0c1b4c9be01c0a67ac4b90e3cdca7a6defa4f9480e7f71f8999 | Triage

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 21:55

Sharing

Report Analysis Logs

General

Target

zorara (1).exe
Size

16.4MB
MD5

598830bb1d3598b76df422fc7572cfe0
SHA1

ad88d53508e4589262968b023c6bd067b230ef77
SHA256

41183a1d0ecdf0c1b4c9be01c0a67ac4b90e3cdca7a6defa4f9480e7f71f8999
SHA512

299cca048e7a2a98940ee1db0c4c641009bc132b13e8c9efe4ffa6a42df8720b0d368a43ba05193e949ab73d2350243e67aac6a56849045bf370c265ec72fa11
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+gPIC:5Zv5PDwbjNrmAE+EIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5NDAwNTY0OTIxODIwNzc2Ng.GPszTg.D8KTKB3_qLN0rn3XqvePMm8SzSDKIiDeKse1Ec
server_id
1293999282432774195

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2700	2876	zorara (1).exe	30
PID 2876 wrote to memory of 2700	2876	zorara (1).exe	30
PID 2876 wrote to memory of 2700	2876	zorara (1).exe	30

C:\Users\Admin\AppData\Local\Temp\zorara (1).exe
"C:\Users\Admin\AppData\Local\Temp\zorara (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2876 -s 596
  2⤵
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2876-1-0x000000013FBD0000-0x000000013FBE8000-memory.dmp

Filesize
96KB

Download
memory/2876-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-3-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download