discordrat | 1004ec56662bb7f748ceca118b5be12cb57746e0918a3d07aced6d3be5d91e76 | Triage

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 22:16

Sharing

Report Analysis Logs

General

Target

tools.exe
Size

78KB
MD5

b0e2fb810d84976ca81d3fc8130f97ae
SHA1

fffa04a5aee0ca44d7885045a4c7f1a84a11ef22
SHA256

1004ec56662bb7f748ceca118b5be12cb57746e0918a3d07aced6d3be5d91e76
SHA512

5b069422912d79ff2c7cae8afc948cdb6271cff2d2a1a9e5ebfab490ab73847857a95e793e4b79e35be99e6260a0d741e19bf87ccca8a366b1c9126e58b693d9
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+4PIC:5Zv5PDwbjNrmAE+cIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE5NjA2MDQ3OTI3ODI5Mjk5Mg.GzqInl.LbCCpCdIMlcmvb3nWvHggqt02zzRa4VLAxK6_8
server_id
1201803877058621460

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2676	2216	tools.exe	30
PID 2216 wrote to memory of 2676	2216	tools.exe	30
PID 2216 wrote to memory of 2676	2216	tools.exe	30

C:\Users\Admin\AppData\Local\Temp\tools.exe
"C:\Users\Admin\AppData\Local\Temp\tools.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2216 -s 600
  2⤵
  PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x000000013F150000-0x000000013F168000-memory.dmp

Filesize
96KB

Download
memory/2216-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2216-3-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download