discordrat | b32cfa2c536bfc631f37621471e23d3b05dffa1c94ef1c88e8136fd07c389105

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w/Obekräftade 445796.zip
Size

445KB
MD5

06a4fcd5eb3a39d7f50a0709de9900db
SHA1

50d089e915f69313a5187569cda4e6dec2d55ca7
SHA256

c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97
SHA512

75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b
SSDEEP

12288:BfJ13+GoLo2d5ifXHE8134QwYOwFSFRiLQI:BKGo8EifSQwYWI

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

Processes:

Discord rat.exe

pid	Process
2276	Discord rat.exe

Loads dropped DLL 6 IoCs

Processes:

7zFM.exeWerFault.exe

pid	Process
1936	7zFM.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

7zFM.exe

pid	Process
1936	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
1936	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	1936	7zFM.exe
Token: 35	1936	7zFM.exe
Token: SeSecurityPrivilege	1936	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid	Process
1936	7zFM.exe
1936	7zFM.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

7zFM.exeDiscord rat.exe

description	pid	Process	procid_target
PID 1936 wrote to memory of 2276	1936	7zFM.exe	30
PID 1936 wrote to memory of 2276	1936	7zFM.exe	30
PID 1936 wrote to memory of 2276	1936	7zFM.exe	30
PID 2276 wrote to memory of 2200	2276	Discord rat.exe	31
PID 2276 wrote to memory of 2200	2276	Discord rat.exe	31
PID 2276 wrote to memory of 2200	2276	Discord rat.exe	31

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\w\Obekräftade 445796.zip"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\7zO097A5396\Discord rat.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO097A5396\Discord rat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2276 -s 600
    3⤵
    - Loads dropped DLL
    PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7zO097A5396\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
memory/2276-8-0x000000013FE10000-0x000000013FE28000-memory.dmp

Filesize
96KB

Download