Overview

overview

10

Static

static

10

botter.zip

windows7-x64

botter.zip

windows10-2004-x64

botter.zip

android-9-x86

botter.zip

android-10-x64

botter.zip

android-11-x64

botter.zip

macos-10.15-amd64

botter.zip

ubuntu-18.04-amd64

botter.zip

debian-9-armhf

botter.zip

debian-9-mips

botter.zip

debian-9-mipsel

botter.exe

windows7-x64

10

botter.exe

windows10-2004-x64

10

botter.exe

android-9-x86

botter.exe

android-10-x64

botter.exe

android-11-x64

botter.exe

macos-10.15-amd64

botter.exe

ubuntu-18.04-amd64

botter.exe

debian-9-armhf

botter.exe

debian-9-mips

botter.exe

debian-9-mipsel

Resubmissions

13-01-2025 04:03

250113-eml7tsxnbl 10

12-01-2025 14:59

250112-sc7bxaxjdv 10

Analysis

  • max time kernel
    839s
  • max time network
    841s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2025 04:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    botter.exe

  • Size

    78KB

  • MD5

    8ebf44c3c47d368300e0d41c34296bf3

  • SHA1

    fa5b7afe0f309a69344c52b0877be7fe35a35592

  • SHA256

    2bd21a43c14023165182064239d919168353238b8e3027b72be4d47c5ec5c56c

  • SHA512

    1b9d82a8b52ede86e79fb0cbf397036bca712d25777f26c243ed6aaa6a2c301011a12679d05ff79ad3a3944513cfa295922d4582f9de5daf86768d55465b0a68

  • SSDEEP

    1536:1dK8EHG6SJNFrDCDopt4F4dhSc5Gr4ImshNzC/Eks0m0nbTdGFQngfo9wzWUbyVC:TK8EmBHpm0X40gUwhnzOspzyPCBf2hUv

Score
10/10
discordratpersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    4D544D794D7A51314E5451304D7A49784D6A677A4D6A67344D412E47777A4D35482E686E7467374B6B4A644C7A496F516D38395F4C62725575584F6B38692D5A694C31572D57624D

  • server_id

    1327726809084854434

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\botter.exe
    C:\Users\Admin\AppData\Local\Temp\botter.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2056 -s 600
      2⤵
        PID:2680

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2056-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2056-1-0x000000013FE00000-0x000000013FE18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2056-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2056-3-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

      Filesize

      9.9MB

      Download