discordrat | 5068c095fe2dc0ea113802f0cfe1b2c733b9af3d26b56fe4640b84182dad3b00 | Triage

Resubmissions

07/12/2024, 18:53

241207-xjvnxatmap 10

07/12/2024, 15:45

241207-s6292s1qcn 10

05/12/2024, 19:45

241205-ygvfssypbv 10

Analysis

max time kernel
7s
max time network
4s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/12/2024, 19:45

Sharing

Report Analysis Logs

General

Target

Image logger V2.exe
Size

78KB
MD5

23121ec5aa860121c4b03e246d919c4b
SHA1

750802101b7936c1f3f9140a8a5c8871d0c1d52f
SHA256

5068c095fe2dc0ea113802f0cfe1b2c733b9af3d26b56fe4640b84182dad3b00
SHA512

3dced9e61805d07e388d378f8fd6b8d0d099c878e05910dadf896440e5b79ca4d7f5404b8af734398678654aa8b55d0829b74e61b0771e9d9a5e1107d846425c
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+ePIC:5Zv5PDwbjNrmAE+aIC

Score

10^/10

discordrat dotnet persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxMTU0ODcwMzk2NTg0MzUxNg.GIKoSl.hpLTnBEEtO8tJ-575ifZ73sv0H1AL_hR73OJxA
server_id
1311541606738038905

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

C# Executable 3 IoCs

Detects C# .NET executables.

resource	yara_rule
behavioral1/memory/1604-1-0x000000013FB30000-0x000000013FB48000-memory.dmp	DotNet
behavioral1/memory/1604-2-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp	DotNet
behavioral1/memory/1604-3-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp	DotNet

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 2360	1604	Image logger V2.exe	31
PID 1604 wrote to memory of 2360	1604	Image logger V2.exe	31
PID 1604 wrote to memory of 2360	1604	Image logger V2.exe	31

C:\Users\Admin\AppData\Local\Temp\Image logger V2.exe
"C:\Users\Admin\AppData\Local\Temp\Image logger V2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1604 -s 600
  2⤵
  PID:2360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1604-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/1604-1-0x000000013FB30000-0x000000013FB48000-memory.dmp

Filesize
96KB

Download
memory/1604-2-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/1604-3-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download