discordrat | fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f.exe
Size

805KB
MD5

1e4a9746b0ffb6eb4df73f6d524f09be
SHA1

be1127a1fa6b2f758c0ec68d5ef25b3db2ce0446
SHA256

fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f
SHA512

28f7b203691334e260b458f16b982caf69b5196773e1a889baacbea36a065773a5334688507d67d8db647bed5bb911f8a6b85e368e73e438d05b9d5dfdcc638a
SSDEEP

12288:nLMEalqxXblqoRX5qbfphLxaOwwqiX6WWvf8GveIujO7s:LqaXNabfphLxaU1qWafiIot

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MzAxNDU0MjAwMzA3NzE5Mw.GUx5sJ.WCIjRKvDviF83VGQ_82BvMjbWVWWLpPc9yATx8
server_id
1081245691520761917

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2452	backdoor.exe

Loads dropped DLL 6 IoCs

pid	Process
1972	fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2452	1972	fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f.exe	31
PID 1972 wrote to memory of 2452	1972	fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f.exe	31
PID 1972 wrote to memory of 2452	1972	fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f.exe	31
PID 2452 wrote to memory of 316	2452	backdoor.exe	32
PID 2452 wrote to memory of 316	2452	backdoor.exe	32
PID 2452 wrote to memory of 316	2452	backdoor.exe	32

C:\Users\Admin\AppData\Local\Temp\fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f.exe
"C:\Users\Admin\AppData\Local\Temp\fc1759445792652340cdf648f637d7b5000b913c1ee2eb05ac2837ae15aed57f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2452 -s 596
    3⤵
    - Loads dropped DLL
    PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
494b0817de2a44d76861db9b2c1a8665

SHA1
fd36966e37c64466f43d5037b5a25791335490f9

SHA256
ea3c68198c041740807f2804a3b45c3283e62aacfc911edc3e2a500ad21b8101

SHA512
102f902ba8cac261f82d0cf4a7fff6c727bd40030aaad74d9c8a3417c1fe0c15171ed4952beac544f0ea97cc065cd2798fcef60bb7055c4dad27ab0815cdd9c1

Download Submit
memory/1972-4-0x0000000002190000-0x00000000021A0000-memory.dmp

Filesize
64KB

Download
memory/2452-11-0x000007FEF4D93000-0x000007FEF4D94000-memory.dmp

Filesize
4KB

Download
memory/2452-12-0x000000013F180000-0x000000013F198000-memory.dmp

Filesize
96KB

Download
memory/2452-17-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download
memory/2452-19-0x000007FEF4D90000-0x000007FEF577C000-memory.dmp

Filesize
9.9MB

Download