discordrat | 7c025b2421e49f55f97484db876940a4be40ad66180745bf5cbf27242aa5d433

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-01-2025 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fortnite‮gpj.exe
Size

872KB
MD5

1e2050af9bccc9a8766a43fb83b9b1f0
SHA1

d26c33e6c6db918dccbd538877e301b28c90307e
SHA256

7c025b2421e49f55f97484db876940a4be40ad66180745bf5cbf27242aa5d433
SHA512

cf6c4085b0a260e920cb737c50cdce42fcf684120005072b6f4dd125ad058c142fc51220695d0b2ebc1e4c9e74283f5eb091b709a58e92ba8f0545bba4e116f6
SSDEEP

24576:X5ZWs+OZVEWry8AFBn+yHDB17T4ZQqKkFPJ1x1CwrNa6h8kQU17l:JZB1G8Yt+yjT/joFzxr46houl

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE3MDQzNjc1NDU1NDI0NTE4MA.G8c-n6.n5Z1nJRp3yw5c3HWGqwGMY-vuXkB44mjt5C8jE
server_id
1298154591732629564

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2772	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
2760	fortnite‮gpj.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe
2680	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2772	2760	fortnite‮gpj.exe	32
PID 2760 wrote to memory of 2772	2760	fortnite‮gpj.exe	32
PID 2760 wrote to memory of 2772	2760	fortnite‮gpj.exe	32
PID 2772 wrote to memory of 2680	2772	Client-built.exe	33
PID 2772 wrote to memory of 2680	2772	Client-built.exe	33
PID 2772 wrote to memory of 2680	2772	Client-built.exe	33

C:\Users\Admin\AppData\Local\Temp\fortnite‮gpj.exe
"C:\Users\Admin\AppData\Local\Temp\fortnite‮gpj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2772 -s 596
    3⤵
    - Loads dropped DLL
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
31da0445e4df48447bf0837e5fd5d17d

SHA1
ef352de96cc41e40d2eff276102daf44297c0799

SHA256
9e43df1193f7077f7438de824501d1436ca1f126a307a6b7c81bc8d4a90efa2c

SHA512
a2b2271062f9fc9e98c5c1ef8ed8a4e53c2a4a3f2428df2b574ddcf0f3312f01610d2f5ae246a2d411212f79954e38028ccf13935f8f0d44e0a0ba336e8ea88f

Download Submit
memory/2760-6-0x0000000003350000-0x0000000003360000-memory.dmp

Filesize
64KB

Download
memory/2772-13-0x000007FEF5623000-0x000007FEF5624000-memory.dmp

Filesize
4KB

Download
memory/2772-14-0x000000013F860000-0x000000013F878000-memory.dmp

Filesize
96KB

Download
memory/2772-19-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-21-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download