discordrat | 269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5.exe
Size

520KB
MD5

7e26d878b40e1e18d7a8502adb7786ee
SHA1

6ec71f9b6b4ed98c6ad17598cebfd2dbb2002355
SHA256

269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5
SHA512

c14613e37c3f7418ab289d92372677251d32663ac49d530d4f249014977e7d89dafd2f1b644dc2a4173d47e89e3b38d436da6a79425bcedb99736d7dee4d0ab6
SSDEEP

12288:EyveQB/fTHIGaPkKEYzURNAwbAg8jTYiGwbc:EuDXTIGaPhEYzUzA0qDGwbc

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMTM0MDQzMjc0Mjg3OTI3Mw.GMUugK._6Rg19IMHnSVA-dlu-NIekKS1NnRtnrMEh3n08
server_id
1321339493286019134

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2112	SteamUnlock.exe

Loads dropped DLL 6 IoCs

pid	Process
2536	269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2112	2536	269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5.exe	31
PID 2536 wrote to memory of 2112	2536	269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5.exe	31
PID 2536 wrote to memory of 2112	2536	269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5.exe	31
PID 2112 wrote to memory of 2820	2112	SteamUnlock.exe	32
PID 2112 wrote to memory of 2820	2112	SteamUnlock.exe	32
PID 2112 wrote to memory of 2820	2112	SteamUnlock.exe	32

C:\Users\Admin\AppData\Local\Temp\269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5.exe
"C:\Users\Admin\AppData\Local\Temp\269a629068ef029d5432e001a3744fa87753a3c62dee5dd022e461f94f849ee5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\SteamUnlock.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SteamUnlock.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2112 -s 596
    3⤵
    - Loads dropped DLL
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\SteamUnlock.exe

Filesize
78KB

MD5
5ffa997113e1c77bd1fe56b2a031da6c

SHA1
29eac5c9e7d61e318d6d251dece17f81a63fd22f

SHA256
63de0a9854e0d14b47230564d1aa3d04bb01f74fd5b986480ffe28dd1f224c9c

SHA512
62ee694c98f3b362cbf9c1ce0927d961bf360cb6ba6f34bab045c445fd0b8d3ca004476a43a8d20a54a1e2d6ecb9f7b1c4a142d0249a8e3e30b53540b50c42de

Download Submit
memory/2112-11-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2112-12-0x000000013FCA0000-0x000000013FCB8000-memory.dmp

Filesize
96KB

Download
memory/2112-17-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2112-19-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2536-4-0x0000000002330000-0x0000000002340000-memory.dmp

Filesize
64KB

Download