discordrat | 2e4f54bd9589e135c3a489af339ad06bd4843a32ac0ea44115ecde240a41b510 | Triage

Analysis

max time kernel
12s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 23:05

Sharing

Report Analysis Logs

General

Target

injector.exe
Size

78KB
MD5

691c8bfc9e0c88048e673958036b4521
SHA1

f5d8391530f31b5540dd6fefac179061ea44f366
SHA256

2e4f54bd9589e135c3a489af339ad06bd4843a32ac0ea44115ecde240a41b510
SHA512

cb9bda3900576e8af500eaf61e812b87a443964a47ac8d6ec0696b6a32774150800da09dd84b9810b532152d0292878e5ed4e9cdaf86509ac8162e2e759f230d
SSDEEP

1536:O2WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+VPIz:OZv5PDwbjNrmAE+FIz

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5Mjk3NzAzNDk0MzAwODg5MA.GUtIvD.vaGauQAWYFeLWJRnUaocQs4q3Ztcew_JgOoy8U
server_id
1292965909807501376

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2700	1084	injector.exe	30
PID 1084 wrote to memory of 2700	1084	injector.exe	30
PID 1084 wrote to memory of 2700	1084	injector.exe	30

C:\Users\Admin\AppData\Local\Temp\injector.exe
"C:\Users\Admin\AppData\Local\Temp\injector.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1084 -s 600
  2⤵
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-0-0x000007FEF5163000-0x000007FEF5164000-memory.dmp

Filesize
4KB

Download
memory/1084-1-0x000000013F930000-0x000000013F948000-memory.dmp

Filesize
96KB

Download
memory/1084-2-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download
memory/1084-3-0x000007FEF5160000-0x000007FEF5B4C000-memory.dmp

Filesize
9.9MB

Download