discordrat | 16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82 | Triage

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 14:52

Sharing

Report Analysis Logs

General

Target

Test.exe
Size

78KB
MD5

e3347a9a35a3397e489ae738b27f7cc7
SHA1

e72a6f4f1fed3513aeef20986cb362e5d2fdfebe
SHA256

16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82
SHA512

a75da2b099bef712bcf87c02aa23e84d5d90f5b0a9e5bb0a27b437ddd6ad777768a1273052e72a720e141db61c4f0ebbe50316df069253afc675a7e46bbb3151
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDYxOTg4NTMzMTQxNTEyMA.GvolIj.JCM-OtlpaFBedk3GoFB_aY1Hi31oF4XpkLv81A
server_id
1330576263034699828

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2912	1872	Test.exe	28
PID 1872 wrote to memory of 2912	1872	Test.exe	28
PID 1872 wrote to memory of 2912	1872	Test.exe	28

C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1872 -s 600
  2⤵
  PID:2912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1872-0-0x000007FEF5CC3000-0x000007FEF5CC4000-memory.dmp

Filesize
4KB

Download
memory/1872-1-0x000000013F410000-0x000000013F428000-memory.dmp

Filesize
96KB

Download
memory/1872-2-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-3-0x000007FEF5CC0000-0x000007FEF66AC000-memory.dmp

Filesize
9.9MB

Download