discordrat | 243b60f492841d17b52e3b5c706a8670828b7d88d2e2dc0374539d5134b57b24

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
27/02/2025, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nigga_xDgpj.exe
Size

560KB
MD5

4130a7337ae3c2f72a312b1db9de064a
SHA1

3b1eeb1281ec7ca85f26f36f8294a76b715eef97
SHA256

243b60f492841d17b52e3b5c706a8670828b7d88d2e2dc0374539d5134b57b24
SHA512

c2a42111cfb30d128c1b4b57e1a0e704658747b27016ef41560efee2a59c52d7e9c5ae6a06219478955e8b868014b1a44593ecdf2617413bc0de939c3f29ad05
SSDEEP

6144:xE+yclwQKjdn+WPtYVJIoBfYhX9Rvn5lEvuh/2ODio6/lb:xBdlwHRn+WlYV+5hrxS2h21oOb

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTM0NDcyNDEzNTI0NjQzMDIzOQ.GGKgtT.gXaA8zDpJ8lHXN-X0I59jvy0XMmqHOu4MC1b_A
server_id
1340437348676010064

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 1 IoCs

pid	Process
1788	backdoor.exe

Loads dropped DLL 6 IoCs

pid	Process
2188	nigga_xDgpj.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe
2976	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nigga_xDgpj.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1788	2188	nigga_xDgpj.exe	30
PID 2188 wrote to memory of 1788	2188	nigga_xDgpj.exe	30
PID 2188 wrote to memory of 1788	2188	nigga_xDgpj.exe	30
PID 2188 wrote to memory of 1788	2188	nigga_xDgpj.exe	30
PID 1788 wrote to memory of 2976	1788	backdoor.exe	31
PID 1788 wrote to memory of 2976	1788	backdoor.exe	31
PID 1788 wrote to memory of 2976	1788	backdoor.exe	31

C:\Users\Admin\AppData\Local\Temp\nigga_xDgpj.exe
"C:\Users\Admin\AppData\Local\Temp\nigga_xDgpj.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\backdoor.exe
  "C:\Users\Admin\AppData\Local\Temp\backdoor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1788 -s 604
    3⤵
    - Loads dropped DLL
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\backdoor.exe

Filesize
78KB

MD5
2ff9bd98b4c82d23fd1a065bef442d64

SHA1
489b72fac997bba33f4db6094cb2f343823f9efa

SHA256
c0e87f3422eae345deee3f894f4782bf209b8d70faceed84caf7eb811be21427

SHA512
04cc0d092f0e35ec5b401649c654ae48a41549353547be5b2a5abb52e00be87ce35935447cdfd0ed964ede356057511ff0ba07629a8b72a175c755d73174924e

Download Submit
memory/1788-11-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/1788-12-0x000000013F4B0000-0x000000013F4C8000-memory.dmp

Filesize
96KB

Download
memory/1788-17-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1788-19-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-4-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download