discordrat | c41c0a3aff41ec17de75cd8f31f268f5063693743eb4639c907042574b3724ca

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1324648543721361449-1324648543402725396-Imagen-loro_1.exe
Size

709KB
MD5

9141efe15618fa406c09c030e5595f9e
SHA1

9cef69b36e557260b20298f48d11148cc9b83230
SHA256

c41c0a3aff41ec17de75cd8f31f268f5063693743eb4639c907042574b3724ca
SHA512

4a23ca9a5d35b289d9b3db7433ed9d7345ab4154e49f5bb8a0df995f28fa3ac75d25114c2ee0ba6352d80b779c9e0e50b2644e31f801a71ec8075fdb32e668ef
SSDEEP

12288:zyveQB/fTHIGaPkKEYzURNAwbAgXJEOcCqcko1q+tKMm1CMyo:zuDXTIGaPhEYzUzA0jyFo1e1gbo

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMyNDU1MTY2MzgxNzU5MjgzMg.Gsv4Af.87VMMw-6giEs1pl29CsssUr3cLvco6RhvCUymA
server_id
1324552691812405278

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2596	backdoor.exe

Loads dropped DLL 6 IoCs

pid	Process
2676	1324648543721361449-1324648543402725396-Imagen-loro_1.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2596	2676	1324648543721361449-1324648543402725396-Imagen-loro_1.exe	32
PID 2676 wrote to memory of 2596	2676	1324648543721361449-1324648543402725396-Imagen-loro_1.exe	32
PID 2676 wrote to memory of 2596	2676	1324648543721361449-1324648543402725396-Imagen-loro_1.exe	32
PID 2596 wrote to memory of 2588	2596	backdoor.exe	33
PID 2596 wrote to memory of 2588	2596	backdoor.exe	33
PID 2596 wrote to memory of 2588	2596	backdoor.exe	33

C:\Users\Admin\AppData\Local\Temp\1324648543721361449-1324648543402725396-Imagen-loro_1.exe
"C:\Users\Admin\AppData\Local\Temp\1324648543721361449-1324648543402725396-Imagen-loro_1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2596 -s 596
    3⤵
    - Loads dropped DLL
    PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\backdoor.exe

Filesize
78KB

MD5
dfdb4e31afcca54bbd536d1ff9f378c3

SHA1
88f973a381b342cb4bfd0952cd4985d83f0032d1

SHA256
9faf3b2adc648c52ed8f3930475cd2e75b5b415d50fb1b5d865c3ef15c77fc02

SHA512
f26d29f9c7433e82bbb3e99b41581689e9b487ea0ed61ae663f65bc28b705a7c1051a766c405394ee0d4a056d3a02a0c84fdebb307ac232d765c7e710dfaf207

Download Submit
memory/2596-11-0x000007FEF4E13000-0x000007FEF4E14000-memory.dmp

Filesize
4KB

Download
memory/2596-12-0x000000013F890000-0x000000013F8A8000-memory.dmp

Filesize
96KB

Download
memory/2596-17-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-19-0x000007FEF4E10000-0x000007FEF57FC000-memory.dmp

Filesize
9.9MB

Download
memory/2676-4-0x0000000002490000-0x00000000024A0000-memory.dmp

Filesize
64KB

Download