discordrat | 0a5829c5c2d1ffb068abcffc0a6f808438a52cbb7e974445d08770428b96c7b7 | Triage

Resubmissions

24-01-2025 19:06

250124-xr62xatkbt 10

24-01-2025 18:25

250124-w2yb3s1pdt 10

Analysis

max time kernel
1s
max time network
4s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 19:06

Sharing

Report Analysis Logs

General

Target

TEST.exe
Size

78KB
MD5

d342164488b5574da639e404c0756831
SHA1

1896ec0095610935993935b1fa14678d729e3d12
SHA256

0a5829c5c2d1ffb068abcffc0a6f808438a52cbb7e974445d08770428b96c7b7
SHA512

0b9b76906bf6ec4e2868d3412df69ee77bef132ff2396c2cf802c44e909c53635bfccdfd23fae3b55560f4e83edacec529311f94901e6c23654e4f8bb8e62590
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+yPIC:5Zv5PDwbjNrmAE++IC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMjQwOTA2MzQ5NzAwNzIwNA.G_n8fU.DfbgmS7-yP4cbSNse2dBgOV4sXge7EKO5X8MBo
server_id
1332408693144420362

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2096	2100	TEST.exe	30
PID 2100 wrote to memory of 2096	2100	TEST.exe	30
PID 2100 wrote to memory of 2096	2100	TEST.exe	30

C:\Users\Admin\AppData\Local\Temp\TEST.exe
"C:\Users\Admin\AppData\Local\Temp\TEST.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2100 -s 596
  2⤵
  PID:2096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2100-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x000000013F2A0000-0x000000013F2B8000-memory.dmp

Filesize
96KB

Download
memory/2100-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download