discordrat | 7f63a4691f7d818ef1868d269d38862c0a19dcda170cdb5dd8788d8d451a548c | Triage

Analysis

max time kernel
1559s
max time network
1566s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 20:24

Sharing

Report Analysis Logs

General

Target

babaya new.exe
Size

78KB
MD5

7209d6899561c71ca335c2d795d67ae3
SHA1

eb5685dbd5db4d2800649dc3fcc57b9a6917d09a
SHA256

7f63a4691f7d818ef1868d269d38862c0a19dcda170cdb5dd8788d8d451a548c
SHA512

cab4cb58746ff45766fd1566e6a3879d5ff85c759ee620fca9d305dfdd85a8c526d1b296683541821b87bd00e6b678a046d5c9c4b7d7badcb8386b4db8029e92
SSDEEP

1536:K2WjO8XeEXF15P7v88wbjNrfxCXhRoKV6+V+VPIC:KZb5PDwbjNrmAE+FIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
https://discord.com/api/webhooks/1296206480852127744/QR0Ij0ivxObUlFMF780C3YZ5TxjdP8PCuVx-iht_GGwTaj8HwwmhOy18jEHc0UiQWQO2
server_id
1296206452741902457

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

babaya new.exe

description	pid	Process	procid_target
PID 2888 wrote to memory of 2824	2888	babaya new.exe	30
PID 2888 wrote to memory of 2824	2888	babaya new.exe	30
PID 2888 wrote to memory of 2824	2888	babaya new.exe	30

C:\Users\Admin\AppData\Local\Temp\babaya new.exe
"C:\Users\Admin\AppData\Local\Temp\babaya new.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2888 -s 604
  2⤵
  PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2888-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2888-1-0x000000013FB50000-0x000000013FB68000-memory.dmp

Filesize
96KB

Download
memory/2888-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-3-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download