discordrat | 3808820028e5f92df964babea0fc28b2c338caed7fc346f23bf7a72f9718b59a | Triage

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 06:21

Sharing

Report Analysis Logs

General

Target

Trixo.exe
Size

78KB
MD5

1b745940dc781b1beaffa5a5e91781f7
SHA1

1595744d57ac62fd080890ca4ccfad79ee191b52
SHA256

3808820028e5f92df964babea0fc28b2c338caed7fc346f23bf7a72f9718b59a
SHA512

ce064369769a8da2dbf9f73e141cbbd4b63399a77e66a7fecad0e630eb3ea9eb4cdd209740b9698419c53ba13ce728124f8ebb7864f6bb964fa3f4732c6aa234
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+VPIC:5Zv5PDwbjNrmAE+FIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMwMzgwMTQ1OTM4MDU4ODU0NQ.GKEDWk.oxHbrr9T6zxUFqz1QeZtVAdFcU0vLwPkbmSS6I
server_id
1318292679783747594

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2700	1728	Trixo.exe	30
PID 1728 wrote to memory of 2700	1728	Trixo.exe	30
PID 1728 wrote to memory of 2700	1728	Trixo.exe	30

C:\Users\Admin\AppData\Local\Temp\Trixo.exe
"C:\Users\Admin\AppData\Local\Temp\Trixo.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1728 -s 600
  2⤵
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x000000013F690000-0x000000013F6A8000-memory.dmp

Filesize
96KB

Download
memory/1728-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1728-3-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download