discordrat | 22ec463efcdbe25769d052b8c7efbc906308b4cb0c9b4a050e9f87d9d3c9603f

Analysis

max time kernel
107s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sonic‮gpj.exe
Size

517KB
MD5

61fbc144acd42d18cbfc6120d4ca62d8
SHA1

ec8c85882a46b554abf6bc7772c0ef6725d6cc4f
SHA256

22ec463efcdbe25769d052b8c7efbc906308b4cb0c9b4a050e9f87d9d3c9603f
SHA512

5c327ede9b0536fe9bc3ca3da93533cc6ae2db51286daa66b75c05042593911c104a4a3a0525080a6be35b1fe224bb0f67ca79fdc82167b1a93c30d7c88c1692
SSDEEP

12288:2CQjgAtAHM+vetZxF5EWry8AJGy0y+qy8qyBqImFFQ:25ZWs+OZVEWry8AFBdy8jq5XQ

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE3MDQzNjc1NDU1NDI0NTE4MA.GrJnns.JzVbnDDcfKhzDhFYb8KVjb0LIZJvOQ-Q9G9LCQ
server_id
1298154591732629564

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2944	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
2824	sonic‮gpj.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	sonic‮gpj.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2944	2824	sonic‮gpj.exe	29
PID 2824 wrote to memory of 2944	2824	sonic‮gpj.exe	29
PID 2824 wrote to memory of 2944	2824	sonic‮gpj.exe	29
PID 2944 wrote to memory of 2132	2944	Client-built.exe	30
PID 2944 wrote to memory of 2132	2944	Client-built.exe	30
PID 2944 wrote to memory of 2132	2944	Client-built.exe	30

C:\Users\Admin\AppData\Local\Temp\sonic‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\sonic‮gpj.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2944 -s 596
    3⤵
    - Loads dropped DLL
    PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
b6069e0fa5c764e9515cb6cdcc92d3b9

SHA1
bfe86b754325936ee2a83fa361d344817e079df2

SHA256
e8f19282ab4fecb224e9c76290ea8043cd735b24e5ac47f17ab2e8e7e61ac413

SHA512
f2d5e5648275907fcb52d092e70c736b53382f08f699ee9c35237479f6d7f0c6c0886ffdbef47bbe3b457f421d6e93731e97ce9d8ca1bc9b62cc178588ddd30b

Download Submit
memory/2824-19-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2824-20-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

Filesize
4KB

Download
memory/2944-10-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

Filesize
4KB

Download
memory/2944-11-0x000000013FDD0000-0x000000013FDE8000-memory.dmp

Filesize
96KB

Download
memory/2944-16-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2944-18-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download