discordrat | be5b74f1dcd692567847e16cb940b95e578f597db208069fff152f231bf942d5

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 04:21

Target

botter.exe
Size

78KB
MD5

8ebf44c3c47d368300e0d41c34296bf3
SHA1

fa5b7afe0f309a69344c52b0877be7fe35a35592
SHA256

2bd21a43c14023165182064239d919168353238b8e3027b72be4d47c5ec5c56c
SHA512

1b9d82a8b52ede86e79fb0cbf397036bca712d25777f26c243ed6aaa6a2c301011a12679d05ff79ad3a3944513cfa295922d4582f9de5daf86768d55465b0a68
SSDEEP

1536:1dK8EHG6SJNFrDCDopt4F4dhSc5Gr4ImshNzC/Eks0m0nbTdGFQngfo9wzWUbyVC:TK8EmBHpm0X40gUwhnzOspzyPCBf2hUv

Score

10^/10

Family

discordrat

Attributes

discord_token
4D544D794D7A51314E5451304D7A49784D6A677A4D6A67344D412E47777A4D35482E686E7467374B6B4A644C7A496F516D38395F4C62725575584F6B38692D5A694C31572D57624D
server_id
1327726809084854434

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2044	2036	botter.exe	30
PID 2036 wrote to memory of 2044	2036	botter.exe	30
PID 2036 wrote to memory of 2044	2036	botter.exe	30

C:\Users\Admin\AppData\Local\Temp\botter.exe
"C:\Users\Admin\AppData\Local\Temp\botter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2036 -s 600
  2⤵
  PID:2044

memory/2036-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x000000013FBE0000-0x000000013FBF8000-memory.dmp

Filesize
96KB

Download
memory/2036-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-3-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download