discordrat | 5068c095fe2dc0ea113802f0cfe1b2c733b9af3d26b56fe4640b84182dad3b00 | Triage

Analysis

max time kernel
7s
max time network
1s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 21:22

Sharing

Report Analysis Logs

General

Target

FreeCCs.exe
Size

78KB
MD5

23121ec5aa860121c4b03e246d919c4b
SHA1

750802101b7936c1f3f9140a8a5c8871d0c1d52f
SHA256

5068c095fe2dc0ea113802f0cfe1b2c733b9af3d26b56fe4640b84182dad3b00
SHA512

3dced9e61805d07e388d378f8fd6b8d0d099c878e05910dadf896440e5b79ca4d7f5404b8af734398678654aa8b55d0829b74e61b0771e9d9a5e1107d846425c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+ePIC:5Zv5PDwbjNrmAE+aIC

Score

10^/10

discordrat dotnet persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMTU0ODcwMzk2NTg0MzUxNg.GIKoSl.hpLTnBEEtO8tJ-575ifZ73sv0H1AL_hR73OJxA
server_id
1311541606738038905

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

C# Executable 3 IoCs

Detects C# .NET executables.

Processes:

resource	yara_rule
behavioral1/memory/2112-1-0x000000013FEC0000-0x000000013FED8000-memory.dmp	DotNet
behavioral1/memory/2112-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp	DotNet
behavioral1/memory/2112-3-0x000007FEF6620000-0x000007FEF700C000-memory.dmp	DotNet

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

FreeCCs.exe

description	pid	Process	procid_target
PID 2112 wrote to memory of 2828	2112	FreeCCs.exe	31
PID 2112 wrote to memory of 2828	2112	FreeCCs.exe	31
PID 2112 wrote to memory of 2828	2112	FreeCCs.exe	31

C:\Users\Admin\AppData\Local\Temp\FreeCCs.exe
"C:\Users\Admin\AppData\Local\Temp\FreeCCs.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2112 -s 596
  2⤵
  PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2112-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2112-1-0x000000013FEC0000-0x000000013FED8000-memory.dmp

Filesize
96KB

Download
memory/2112-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-3-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download