discordrat | 27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mtreegpj.exe
Size

1.3MB
MD5

b8b0baac29daa1eff8ecb046fe91f104
SHA1

c6ece29c90cb57bca393139e44d70b029bc1f677
SHA256

27a1137b8d934f10c2166261ddf2b424e4803102809c446d36767d581b533a96
SHA512

5501afad683faeb9e174487caf6f5280aab51050b366334c56539ef7977248c7bb05c8b48c9f5e6198ac728703921dbb29f9bf17e37162410a64caf1e662b3c0
SSDEEP

24576:ZuDXTIGaPhEYzUzA0qBc+ZKhmVbC9eabpmkmZ3IaezdKcMYwFL+bGljFIh0aTOS7:8Djlabwz9AjABbpmHmapcMYJo0TOI

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMjk5NDEwMjkwMzU3MDU0Mw.GjHo9c.uUUeJljLrRcuIvW_FlFF0o4Eh6h5i-SEDWYry8
server_id
1332539766268231760

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2652	Client-built.exe

Loads dropped DLL 6 IoCs

pid	Process
2164	mtreegpj.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe
2544	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2652	2164	mtreegpj.exe	32
PID 2164 wrote to memory of 2652	2164	mtreegpj.exe	32
PID 2164 wrote to memory of 2652	2164	mtreegpj.exe	32
PID 2652 wrote to memory of 2544	2652	Client-built.exe	33
PID 2652 wrote to memory of 2544	2652	Client-built.exe	33
PID 2652 wrote to memory of 2544	2652	Client-built.exe	33

C:\Users\Admin\AppData\Local\Temp\mtreegpj.exe
"C:\Users\Admin\AppData\Local\Temp\mtreegpj.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2652 -s 596
    3⤵
    - Loads dropped DLL
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Client-built.exe

Filesize
78KB

MD5
cf3c7283d0e6d81dbd48c159d7e9b3b3

SHA1
bdbf22216c154f6ce7271656692aac72d6722ea7

SHA256
8f55bd1762834764908a60c291607ec869cde7609c558edf1f02a4bfa6e39ae5

SHA512
36e8b38288450a9e60437abfe3971b824e128c63c773843c1ac139b52265602012c322cadcc58705215d7d76f08bfb7f983c011b15bcda15b89dfb22df5d9fc6

Download Submit
memory/2164-4-0x0000000001FB0000-0x0000000001FC0000-memory.dmp

Filesize
64KB

Download
memory/2652-11-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

Filesize
4KB

Download
memory/2652-12-0x000000013F8D0000-0x000000013F8E8000-memory.dmp

Filesize
96KB

Download
memory/2652-17-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-19-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download