Overview

overview

10

Static

static

3

7c8eb8b612...c3.exe

windows7-x64

10

7c8eb8b612...c3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-02-2025 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c8eb8b61268aa05633afa7161190ee8ed57e80354ded18cb1062cd3a3c945c3.exe

  • Size

    391KB

  • MD5

    ffd95f201b6b78245e7cb9586934f522

  • SHA1

    aa85ccb2d05b9d5826f2ea3d189c5e1f78c24c8d

  • SHA256

    7c8eb8b61268aa05633afa7161190ee8ed57e80354ded18cb1062cd3a3c945c3

  • SHA512

    7f92a57b6cf942d6eaeab003f1bd05e55a5a66011aa22f4a902a3c1928ded90443946f5ad5c61c1baba12a28c29431520aaa3f00fe594983cbdb01c464b61967

  • SSDEEP

    6144:7E+yclwQKjdn+WPtYVJIoBfYo/eyd8/tbrIQ7Oi9Ku:7BdlwHRn+WlYV+RVz/Nr17J

Score
10/10
discordratdiscoverypersistenceratrootkitstealer

Malware Config

Extracted

Family

discordrat

Attributes
  • discord_token

    MTMxNzUwNjY0NjkzMDYyMDQ5Ng.GNBK2Y.upogfQP8BcmxvUWnTPh9TiKyGPCxMpHGHpJtR0

  • server_id

    1317507198582128671

Signatures

  • Discord RAT

    A RAT written in C# using Discord as a C2.

    stealerrootkitratpersistencediscordrat
  • Discordrat family
    discordrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c8eb8b61268aa05633afa7161190ee8ed57e80354ded18cb1062cd3a3c945c3.exe
    "C:\Users\Admin\AppData\Local\Temp\7c8eb8b61268aa05633afa7161190ee8ed57e80354ded18cb1062cd3a3c945c3.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 792 -s 596
        3⤵
        • Loads dropped DLL
        PID:2760
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\screenshot.png
    Filesize

    16KB

    MD5

    606613cc1965ecf6ec7b42d94efcb2cd

    SHA1

    84e848b5958b7352b3c748bc56db99ea07eb23d2

    SHA256

    b5f36538eb0dde089abec9b880c153d6216b8fdbc3941f3396ef6a68c105cad6

    SHA512

    f876d6b0b02505fc835a7a048f90bdfd3ff31682a4e84acc58dbb4c4255be030c1bb8fbc7c822f6f6b9c46061fb4716bae9d98cff9217155a5cd841294e6ab7b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\rar.exe
    Filesize

    78KB

    MD5

    928b34327061b09e7e40759d04363eeb

    SHA1

    a1e5715f0e0d054d654dcc6746b37c9a60f9ccfe

    SHA256

    ea72c77769e394a017c08af3640c090d4216495d730f2612e8729d933589460c

    SHA512

    62b8bd581583f872f4df5b2ffd999a31b6d98c6aa16ae522d02e2124995d5d4a4253e459b31af55abaaffd4e0d6bf373b5cc2b4b5269053994629f5ef82c2250

    Download Submit

  • memory/792-13-0x000000013F690000-0x000000013F6A8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2016-4-0x0000000000D00000-0x0000000000D02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2468-5-0x0000000000090000-0x0000000000092000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2468-6-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2468-20-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download