discordrat | 1e901dc90a224a0cfd02385fad0c4d8fbca7470618252b959692cfcf3f4591d7 | Triage

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/01/2025, 18:33

Sharing

Report Analysis Logs

General

Target

openme.exe
Size

78KB
MD5

996fcd8dea911767b0d31cefea3399ec
SHA1

eae584befb2ee007f926687f998055f5f440df0e
SHA256

1e901dc90a224a0cfd02385fad0c4d8fbca7470618252b959692cfcf3f4591d7
SHA512

8c13e7ca10d8522ac64da1da3b9fe2f741446ab0921f6847e660833ce461aeef8ba7611e31b0d0da8ec36da18d89f2953d404646df43b37419cb11fd35905ee8
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V++HPIC:5Zv5PDwbjNrmAE++vIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDE5ODMxMTk5ODcyMjE4OA.G0sEX0.-DReZLhuwLLB8hT7ecsfhS4Y_q7JSZcVnu-4k0
server_id
1330084590068695112

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 1372	2068	openme.exe	30
PID 2068 wrote to memory of 1372	2068	openme.exe	30
PID 2068 wrote to memory of 1372	2068	openme.exe	30

C:\Users\Admin\AppData\Local\Temp\openme.exe
"C:\Users\Admin\AppData\Local\Temp\openme.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2068 -s 596
  2⤵
  PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2068-0-0x000007FEF5B23000-0x000007FEF5B24000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x000000013F510000-0x000000013F528000-memory.dmp

Filesize
96KB

Download
memory/2068-2-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-3-0x000007FEF5B20000-0x000007FEF650C000-memory.dmp

Filesize
9.9MB

Download