discordrat | a7e621222694b1384179574cd023ca68cbd5da5cb36a3de563c04f93c4286dbb

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fortnite‮gpj.exe
Size

872KB
MD5

4498571a9abae3109110f8269dcd3161
SHA1

8ba4b502d42b784cd9dc61c0ba4b4eec7af55db1
SHA256

a7e621222694b1384179574cd023ca68cbd5da5cb36a3de563c04f93c4286dbb
SHA512

414b90fa966969e7ebaf7cfb262afd42894bc964fe9ba7587f559055fb5922ca174c7777d5b5de1a3843dd71304ebb48d94a3ddfee2aadcaecd96c09ee9fb57c
SSDEEP

24576:X5ZWs+OZVEWry8AFBn+yHDB17T4ZrCqKkFPJ1x1CwrNa6h8kQU1s:JZB1G8Yt+yjT/SCoFzxr46ho9

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE3MDQzNjc1NDU1NDI0NTE4MA.GR3Xh1.pvHYX3HiB6vpnvhTb33A2CfQZZTlCD26XRDRqs
server_id
1298154591732629564

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2576	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
2132	fortnite‮gpj.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe
2512	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2576	2132	fortnite‮gpj.exe	29
PID 2132 wrote to memory of 2576	2132	fortnite‮gpj.exe	29
PID 2132 wrote to memory of 2576	2132	fortnite‮gpj.exe	29
PID 2576 wrote to memory of 2512	2576	Client-built.exe	30
PID 2576 wrote to memory of 2512	2576	Client-built.exe	30
PID 2576 wrote to memory of 2512	2576	Client-built.exe	30

C:\Users\Admin\AppData\Local\Temp\fortnite‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\fortnite‮gpj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2576 -s 596
    3⤵
    - Loads dropped DLL
    PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
b27fd4f421612aedfe5c04bc98501213

SHA1
355140fc9877f094127b432e39581d13ce17437e

SHA256
8600dfff2cf54d37ae8d5859eb4b6410f9b97f0b0945a068ca3e5be9a5289398

SHA512
8129ce007dac1f1494702a1315f8bedf6c1872150accfe70f3f25f5031d7cd373a8edbf1a59f8c8ba44ad61863c73c2177e5f77786fb43cb48bf6eb43916e94e

Download Submit
memory/2132-6-0x00000000024D0000-0x00000000024E0000-memory.dmp

Filesize
64KB

Download
memory/2576-13-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2576-14-0x000000013FB40000-0x000000013FB58000-memory.dmp

Filesize
96KB

Download
memory/2576-19-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-21-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download