discordrat | 1c8b0bc47959a8a4ccf8f4fb503a4140e64c061b6caab1e7b928c57c8b384626

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 11:38

Target

Bypasser Bootstrapper.exe
Size

78KB
MD5

7034301e3ac031e461bac41724e99e6a
SHA1

7bd734437f0b19c7747aba31052c483435daa752
SHA256

1c8b0bc47959a8a4ccf8f4fb503a4140e64c061b6caab1e7b928c57c8b384626
SHA512

08d372de93dc286e4cbb92985accec6bbe05d303a4b3bdfbfc8f9a52e32c53290f25559d2d2c1647f5b8f6eed3784847e8bbcaa8a6a7076a45c91ab1dce7bc39
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+vPIC:5Zv5PDwbjNrmAE+XIC

Score

10^/10

Family

discordrat

Attributes

discord_token
MTI5Njc5NzcxODY3NjUwODcxMg.GrzRRI.D-De87vmLBpcyR4TeswbQ1RxxK-0yfr_6Sp90Y
server_id
1296796257108365374

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2372	2032	Bypasser Bootstrapper.exe	30
PID 2032 wrote to memory of 2372	2032	Bypasser Bootstrapper.exe	30
PID 2032 wrote to memory of 2372	2032	Bypasser Bootstrapper.exe	30

C:\Users\Admin\AppData\Local\Temp\Bypasser Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bypasser Bootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2032 -s 596
  2⤵
  PID:2372

memory/2032-0-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

Filesize
4KB

Download
memory/2032-1-0x000000013F5D0000-0x000000013F5E8000-memory.dmp

Filesize
96KB

Download
memory/2032-2-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2032-3-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

Filesize
4KB

Download
memory/2032-4-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download