discordrat | 820e078ba20a1d71567e03ba9ded74fba3783a332123141333b315c9e5a5a02a

Resubmissions

13-01-2025 06:05

250113-gtesfayrfs 10

12-01-2025 21:23

250112-z8q35azmav 10

Analysis

max time kernel
841s
max time network
842s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valhacks_1.exe
Size

719KB
MD5

4ec8339947d7cbb008baf517fcab0707
SHA1

6a29ca741ef10473b4b6c5af1caf899bc00ad87d
SHA256

820e078ba20a1d71567e03ba9ded74fba3783a332123141333b315c9e5a5a02a
SHA512

3bba68339f56b1c27987e12ab3052f0b4b18ddd4705ef962224d317d14fc8b0910e6cceb422ea2905b7923b20a289a19fb30d22d2c4904dce4ccaee760a6fc54
SSDEEP

12288:zCQjgAtAHM+vetZxF5EWry8AJGy0yvrVBHUl061yhp0xCkScaddIXEBObLJMjJN:z5ZWs+OZVEWry8AFBDVBHUl06YhpmA9D

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI0NjU2Mzk3NzA5MDE3MDg5MA.GSGnYD.mZ5A67Z0aJaltBR9NnuG2KEdqkMRU6_UcPS7N4
server_id
1246564755443814531

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2900	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
2016	Valhacks_1.exe
264	WerFault.exe
264	WerFault.exe
264	WerFault.exe
264	WerFault.exe
264	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2900	2016	Valhacks_1.exe	31
PID 2016 wrote to memory of 2900	2016	Valhacks_1.exe	31
PID 2016 wrote to memory of 2900	2016	Valhacks_1.exe	31
PID 2900 wrote to memory of 264	2900	Client-built.exe	32
PID 2900 wrote to memory of 264	2900	Client-built.exe	32
PID 2900 wrote to memory of 264	2900	Client-built.exe	32

C:\Users\Admin\AppData\Local\Temp\Valhacks_1.exe
C:\Users\Admin\AppData\Local\Temp\Valhacks_1.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2900 -s 596
    3⤵
    - Loads dropped DLL
    PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
78KB

MD5
1351e2f4d8fce5158b1528f9704bd721

SHA1
fab091a2f0f522774c9bb3bb3166e355fdf4826e

SHA256
aeb978fb4447c9a39cba32f48bc7537189ee6d99aed90c16a7323af5830f3bbf

SHA512
5118aa74de9b4e5bf473f424983e11cf5c38e19b8e5bf87b7627d59b8a5f94ea01cf9a73dd791147b6a3564fd5a7cf94b64d1df33c3f3ed63cf00db4b6e751fd

Download Submit
memory/2016-4-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2900-11-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2900-12-0x000000013F7D0000-0x000000013F7E8000-memory.dmp

Filesize
96KB

Download
memory/2900-17-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2900-19-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download