discordrat | 4c139afe74d19c682ad84e99e72fbfadce26962656459e296a699189989d8641 | Triage

Analysis

max time kernel
1s
max time network
4s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 03:02

Sharing

Report Analysis Logs

General

Target

lucas's program.exe
Size

78KB
MD5

584d0704f4bc746fd4150b18a9448025
SHA1

4461870de74745e8ba3a8942c67b89413e93f367
SHA256

4c139afe74d19c682ad84e99e72fbfadce26962656459e296a699189989d8641
SHA512

67461e78fcb39babc182d83eae5fc0c0f55fbf1634c63a4d1bfdfa92556fd889d15a523d6f1a42460c25c3600607e18a0d62d222c95e57a80ce72c285d26a131
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+bPIC:5Zv5PDwbjNrmAE+TIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMxNjAwMTU1MzkyODE2MzM2OA.GfvyHM.Jc6nfIT_2FLUGz_YxRYgHqrOjdn4OllCF2TZ7E
server_id
1316003569232515092

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2892	392	lucas's program.exe	29
PID 392 wrote to memory of 2892	392	lucas's program.exe	29
PID 392 wrote to memory of 2892	392	lucas's program.exe	29

C:\Users\Admin\AppData\Local\Temp\lucas's program.exe
"C:\Users\Admin\AppData\Local\Temp\lucas's program.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 392 -s 596
  2⤵
  PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/392-1-0x000000013FBE0000-0x000000013FBF8000-memory.dmp

Filesize
96KB

Download
memory/392-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download