discordrat | d93a0adaa8927c9e889012a495076668512f7f011264c52fb3bd9b9c6094ae35

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-02-2025 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Monke Mod Manager premium.exe
Size

624KB
MD5

0e886c0acf85866b1246118efb9606b1
SHA1

2a22eeee5cbf665e132f40ab00a8f55d8581cb2b
SHA256

d93a0adaa8927c9e889012a495076668512f7f011264c52fb3bd9b9c6094ae35
SHA512

2e44d466cc6eec9225d6bccfb7b22aaa1564e8c7830e779bab97cf5e69ddc9a647271869caef84017a27d821e9b09b895547e132755f70873f019b0667bc465d
SSDEEP

12288:gyveQB/fTHIGaPkKEYzURNAwbAg8n9ztBM33wEp:guDXTIGaPhEYzUzA0q9ZBMnws

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzNzI2MjIwNTkxNzQ2MjU4MA.GnoNqI.vSCLHUKt9B1-VRUYB0OYpmtmITqR9PlfuRTZck
server_id
1335098734836449331

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
2880	penguin223.exe

Loads dropped DLL 6 IoCs

pid	Process
1996	Monke Mod Manager premium.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2880	1996	Monke Mod Manager premium.exe	30
PID 1996 wrote to memory of 2880	1996	Monke Mod Manager premium.exe	30
PID 1996 wrote to memory of 2880	1996	Monke Mod Manager premium.exe	30
PID 2880 wrote to memory of 2704	2880	penguin223.exe	31
PID 2880 wrote to memory of 2704	2880	penguin223.exe	31
PID 2880 wrote to memory of 2704	2880	penguin223.exe	31

C:\Users\Admin\AppData\Local\Temp\Monke Mod Manager premium.exe
"C:\Users\Admin\AppData\Local\Temp\Monke Mod Manager premium.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\penguin223.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\penguin223.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2880 -s 596
    3⤵
    - Loads dropped DLL
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\penguin223.exe

Filesize
78KB

MD5
00fb8ed5dbd9d8bbcc4d25b8995916a3

SHA1
f6a61765c3b7e40fd3c32ea8110acf7c9d4e0d04

SHA256
914c55a461045c9d77253a4a538aa1664608de593b6abd8ea382dff11ea21994

SHA512
f9ab770be2eb5ee4fcaec082a464f17498da0f4dedea66905e3794de21036ed0c53053aff2525c634c28b775235bffa8234781126f71683c1ccdd49f4315ff23

Download Submit
memory/1996-4-0x00000000022A0000-0x00000000022B0000-memory.dmp

Filesize
64KB

Download
memory/2880-11-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

Filesize
4KB

Download
memory/2880-12-0x000000013FA70000-0x000000013FA88000-memory.dmp

Filesize
96KB

Download
memory/2880-17-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-19-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

Filesize
9.9MB

Download