discordrat | ea0dfa0aa7c5442efd8b3cf0a553f83bbcdd5f64e9b96470f5e17d12edfdf945 | Triage

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 19:52

Sharing

Report Analysis Logs

General

Target

seba.exe
Size

78KB
MD5

9641d619bf8575e1b2d43ae2e4ca28bb
SHA1

e19700f8a645a513bf184146821b6b52676040f7
SHA256

ea0dfa0aa7c5442efd8b3cf0a553f83bbcdd5f64e9b96470f5e17d12edfdf945
SHA512

3d332a91a9c3f66df77101ae74465a41721f85551d6f675cdc049ed1017427887d163915655b07c555c0898d04229d82f207a69dff2f78694cfb5d73a8c0684d
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+pPIC:5Zv5PDwbjNrmAE+ZIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMzE3NTA2MTQzOTQ0NzEwMQ.GF7IPf.28Nx_t4P-22zVkKEjaXGlf2UjTqkyWZJ-GTh8k
server_id
1333175340633423913

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2736	3052	seba.exe	30
PID 3052 wrote to memory of 2736	3052	seba.exe	30
PID 3052 wrote to memory of 2736	3052	seba.exe	30

C:\Users\Admin\AppData\Local\Temp\seba.exe
"C:\Users\Admin\AppData\Local\Temp\seba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3052 -s 596
  2⤵
  PID:2736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-0-0x000007FEF4EE3000-0x000007FEF4EE4000-memory.dmp

Filesize
4KB

Download
memory/3052-1-0x000000013F4D0000-0x000000013F4E8000-memory.dmp

Filesize
96KB

Download
memory/3052-2-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp

Filesize
9.9MB

Download
memory/3052-3-0x000007FEF4EE0000-0x000007FEF58CC000-memory.dmp

Filesize
9.9MB

Download