discordrat | b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae.exe
Size

1.1MB
MD5

68de2c63489575fdc69209c48f03e373
SHA1

3bf66befd008ad1a8876d6683f67648a01688a07
SHA256

b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae
SHA512

77c2952c34efbae2923ddca8de26859a3d0481ee1b393cdb58a96ffa9c8d5e47272f5c27a46e91671c7606c502843d0ac229bca228d3d3abf690833da6ed8ace
SSDEEP

24576:AuDXTIGaPhEYzUzA0P/+f7+EsQdWwUUcLs1bwvZ/Hxa3kNGUpD:vDjlabwz9P/+fvxjcCbE/gxUpD

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNzIwMTkyNjY1MTI1Mjc5Ng.GGmA9C.Umk50Kx-pwR-yNlFXEu7O8TF68_JH2rIJhlydY
server_id
1317202248664879145

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
1936	chinito.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe
2264	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1936	2696	b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae.exe	31
PID 2696 wrote to memory of 1936	2696	b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae.exe	31
PID 2696 wrote to memory of 1936	2696	b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae.exe	31
PID 1936 wrote to memory of 2264	1936	chinito.exe	32
PID 1936 wrote to memory of 2264	1936	chinito.exe	32
PID 1936 wrote to memory of 2264	1936	chinito.exe	32

C:\Users\Admin\AppData\Local\Temp\b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae.exe
"C:\Users\Admin\AppData\Local\Temp\b98c0a7983a1a8e77aa68304db614debd63e71f2e441d0298e378606c9517aae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\chinito.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\chinito.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1936 -s 596
    3⤵
    - Loads dropped DLL
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\chinito.exe

Filesize
78KB

MD5
a50d0bdefa1f68ca606254ea8b38d883

SHA1
d87e743a20ae690013e63aa074d9230d86e48c56

SHA256
414e8ebfc8186fd958530895a24973b8353d0266e49a13c75ad88ac2310d4bd5

SHA512
80f09feacb2737184e3cfaed86d1190d3008d82c8064c463fab7e3152f1d43a8b26529a078509255fe3120b43105b28b8a2e079534c6ac59e6dd7394aa942d8c

Download Submit
memory/1936-11-0x000007FEF6193000-0x000007FEF6194000-memory.dmp

Filesize
4KB

Download
memory/1936-12-0x000000013F9A0000-0x000000013F9B8000-memory.dmp

Filesize
96KB

Download
memory/1936-17-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-19-0x000007FEF6190000-0x000007FEF6B7C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-4-0x0000000003410000-0x0000000003420000-memory.dmp

Filesize
64KB

Download