discordrat | 4c56e50351c382dc82173c238228540ee12ecd399a8aab16d9bc49bfa4031e12

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-02-2025 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toystorylogo-4k.exe
Size

524KB
MD5

34ae0745931735f6af04adce8c1358d4
SHA1

825aabac462d7cdf80cd864a37e52175b2b78c0c
SHA256

4c56e50351c382dc82173c238228540ee12ecd399a8aab16d9bc49bfa4031e12
SHA512

5dc2f74cd7baad445650c57332a4c46462323635b40360915bc07dabfa69d9a4419528c4e4fd73efae59e68aa9220083ce5cbbcaa06c742eafc47f7350acdc43
SSDEEP

12288:3yveQB/fTHIGaPkKEYzURNAwbAg8j03rxuLrW:3uDXTIGaPhEYzUzA0qI3NuLrW

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNjA0MTEzNzYxNzc2NDUxNQ.GWUfuA.NHNO6tvAPM86NN4d9WM8wruyH3mk45GH-m19GM
server_id
1336040095018520668

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2808	xdbackdoor.exe

Loads dropped DLL 6 IoCs

pid	Process
2684	toystorylogo-4k.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2808	2684	toystorylogo-4k.exe	31
PID 2684 wrote to memory of 2808	2684	toystorylogo-4k.exe	31
PID 2684 wrote to memory of 2808	2684	toystorylogo-4k.exe	31
PID 2808 wrote to memory of 2816	2808	xdbackdoor.exe	32
PID 2808 wrote to memory of 2816	2808	xdbackdoor.exe	32
PID 2808 wrote to memory of 2816	2808	xdbackdoor.exe	32

C:\Users\Admin\AppData\Local\Temp\toystorylogo-4k.exe
"C:\Users\Admin\AppData\Local\Temp\toystorylogo-4k.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2808 -s 596
    3⤵
    - Loads dropped DLL
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xdbackdoor.exe

Filesize
78KB

MD5
2b0bb0b81b221965408bc75caf13f1e6

SHA1
3bf4b6917c1c6e943613507c8a15f2c0a504dd85

SHA256
5cdcda478e5966aecc8b166f7899cc82e423ec3ff5af27061d1814b2cbe6c23e

SHA512
2796ad2d3d5299df540684cc6b6c250915c5d7960e0015c506eac950c44cd6e0ebe8c1eef5f50badaa387f7f811c4ffb4179f19a6520ef2933becfd4480bf58a

Download Submit
memory/2684-4-0x0000000002220000-0x0000000002230000-memory.dmp

Filesize
64KB

Download
memory/2808-11-0x000007FEF6063000-0x000007FEF6064000-memory.dmp

Filesize
4KB

Download
memory/2808-12-0x000000013FF40000-0x000000013FF58000-memory.dmp

Filesize
96KB

Download
memory/2808-17-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-19-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download