discordrat | abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e.exe
Size

748KB
MD5

4a50c0fac7e7c8c8bab89a1968d24927
SHA1

8315b29f960059621c67b06ce85d8390df61ae53
SHA256

abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e
SHA512

d6916f0a844ba8301a24b602411d859e44dedac5077c589fe9ae205f52dddb40b49bced20d3de41abf4a9a979b6171ee1f6b1318b811e460ec615fe2fd875d8f
SSDEEP

12288:8yveQB/fTHIGaPkKEYzURNAwbAg8f0VXGxnB/OBBh+HqXkGDQv88:8uDXTIGaPhEYzUzA0q6XGxZOBlHQv88

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyMzk1NDMyMzI3Mjc2NTQ1MA.GlwOtb.MRk2b9stGIOHJ31nrWHUdCWhTi5zASWKSorIOk
server_id
1323954995678417017

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2868	backdoored.exe

Loads dropped DLL 6 IoCs

pid	Process
2108	abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe
3004	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2868	2108	abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e.exe	31
PID 2108 wrote to memory of 2868	2108	abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e.exe	31
PID 2108 wrote to memory of 2868	2108	abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e.exe	31
PID 2868 wrote to memory of 3004	2868	backdoored.exe	32
PID 2868 wrote to memory of 3004	2868	backdoored.exe	32
PID 2868 wrote to memory of 3004	2868	backdoored.exe	32

C:\Users\Admin\AppData\Local\Temp\abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e.exe
"C:\Users\Admin\AppData\Local\Temp\abaee704f5c196371eb8b92f161135f5d42d9290c92e2ceb1e7dee10a0d15a4e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoored.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoored.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2868 -s 596
    3⤵
    - Loads dropped DLL
    PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoored.exe

Filesize
78KB

MD5
54e9187948f4a9b41bd59d9fd635eecc

SHA1
035ad8b616219217759da98bf1389cdbd9b61f5c

SHA256
bc2103c84955d2046cc1c8460f6ed28de8739cbb21143cae612c5b8ef31ea63e

SHA512
452be3bd85e93e005c406c0b9998c8c92e0ce6b38538d22d48a307f3496872a8a4d1542ee16c210cac5a0d86c391081c892ff657b2351a5c72b756241c1f58ea

Download Submit
memory/2108-6-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/2868-13-0x000007FEF5323000-0x000007FEF5324000-memory.dmp

Filesize
4KB

Download
memory/2868-14-0x000000013FFC0000-0x000000013FFD8000-memory.dmp

Filesize
96KB

Download
memory/2868-19-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-21-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download