discordrat | 9b2310215dc194404e34a204e0331e30dba68b7bbb3783d3a7c7fc41552d3eed | Triage

Resubmissions

14-10-2024 12:51

241014-p3gx6awdqa 10

11-10-2024 17:45

241011-wbqvbazcqp 10

Analysis

max time kernel
0s
max time network
0s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 17:45

Sharing

Report Analysis Logs

General

Target

zorara.exe
Size

78KB
MD5

cf871781917302521c076c9fb183a92b
SHA1

677e7aa6f044e7d04afe34b5276f2836e623d959
SHA256

9b2310215dc194404e34a204e0331e30dba68b7bbb3783d3a7c7fc41552d3eed
SHA512

2dbcf6f42954f981da3f95079aef5299089f12e1e4c6ba7901b612c778b11dfeafba15f7bca62fb8d18a1e71e9ba7675037600adfc4f6db7234afe7fde60a304
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+gPIC:5Zv5PDwbjNrmAE+EIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5NDAwNTY0OTIxODIwNzc2Ng.GPszTg.D8KTKB3_qLN0rn3XqvePMm8SzSDKIiDeKse1Ec
server_id
1293999282432774195

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2056	2136	zorara.exe	30
PID 2136 wrote to memory of 2056	2136	zorara.exe	30
PID 2136 wrote to memory of 2056	2136	zorara.exe	30

C:\Users\Admin\AppData\Local\Temp\zorara.exe
"C:\Users\Admin\AppData\Local\Temp\zorara.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2136 -s 596
  2⤵
  PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2136-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x000000013F7B0000-0x000000013F7C8000-memory.dmp

Filesize
96KB

Download
memory/2136-2-0x000007FEF5980000-0x000007FEF636C000-memory.dmp

Filesize
9.9MB

Download