discordrat | d2ef967cf32ac7cb5d22c2921bb3e63ad81562b7df61de1bb94e6b71716c06d4 | Triage

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-10-2024 12:47

Sharing

Report Analysis Logs

General

Target

Setup.exe
Size

78KB
MD5

adbbd3611fcf6990d747036abd9bf4c4
SHA1

191132d7ee211e1ba11dbac2f74f71733c688f90
SHA256

d2ef967cf32ac7cb5d22c2921bb3e63ad81562b7df61de1bb94e6b71716c06d4
SHA512

bb6627d360141aca927d29fab4a6b6751ca47b0b08c8bd71bc991b330e74fb7ce4a03d5bed56b25405376aa4ee149989581652612f37a5024cc5c34b48b922c0
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+tPIC:5Zv5PDwbjNrmAE+9IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5Mjg0MzMwMDQ3ODI1NTIxMA.GOiMvF.buFAJ-8_QN7oxzDq-_ldj3Hz2f3za_ZGsizg8Y
server_id
1292843892663648317

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2344	3060	Setup.exe	30
PID 3060 wrote to memory of 2344	3060	Setup.exe	30
PID 3060 wrote to memory of 2344	3060	Setup.exe	30

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3060 -s 596
  2⤵
  PID:2344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3060-0-0x000007FEF60D3000-0x000007FEF60D4000-memory.dmp

Filesize
4KB

Download
memory/3060-1-0x000000013F9F0000-0x000000013FA08000-memory.dmp

Filesize
96KB

Download
memory/3060-2-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/3060-3-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download