analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Discord Checker by xPolish.rar

Full analysis: https://app.any.run/tasks/62e68883-c5c7-4c78-882f-75e7333a01ce
Verdict: Malicious activity
Analysis date: January 24, 2022, 17:34:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

FF22249350E055478DA436E3EB9E0EDC

SHA1:

01AB2281B86B61EA42D5C50B10C3FFAD3893640D

SHA256:

1FC79A9CB2DC0FB8E2014C0D89BCAE129FC2B403A32A5604A5FDBDD033C63BA8

SSDEEP:

12288:Cv2XHfRvImhFH2uuJLuYiw2uWL+vXNfgq8M6U8lc:CvCwSH2RLuYiqD9NLH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Launcher.exe (PID: 2940)
      • DiscordChecker.exe (PID: 2140)
      • bindc.exe (PID: 1260)
      • Runtime Explorer.exe (PID: 3976)
      • Secure System Shell.exe (PID: 2168)
      • Windows Services.exe (PID: 1144)
      • Runtime Explorer.exe (PID: 3132)
      • Runtime Explorer.exe (PID: 3820)
      • Launcher.exe (PID: 3652)
      • DiscordChecker.exe (PID: 2112)
      • bindc.exe (PID: 2160)
      • bindc.exe (PID: 1312)
      • Launcher.exe (PID: 296)
    • Loads dropped or rewritten executable

      • Launcher.exe (PID: 2940)
      • SearchProtocolHost.exe (PID: 1036)
      • Launcher.exe (PID: 3652)
      • Explorer.EXE (PID: 740)
      • Launcher.exe (PID: 296)
    • Changes the autorun value in the registry

      • Launcher.exe (PID: 2940)
    • Writes to a start menu file

      • Launcher.exe (PID: 2940)
  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 1044)
      • DiscordChecker.exe (PID: 2140)
      • Launcher.exe (PID: 2940)
      • powershell.exe (PID: 1348)
      • bindc.exe (PID: 1260)
      • Windows Services.exe (PID: 1144)
      • Runtime Explorer.exe (PID: 3132)
      • Secure System Shell.exe (PID: 2168)
      • Runtime Explorer.exe (PID: 3976)
      • Runtime Explorer.exe (PID: 3820)
      • DiscordChecker.exe (PID: 2112)
      • bindc.exe (PID: 2160)
      • Launcher.exe (PID: 3652)
      • Launcher.exe (PID: 296)
      • bindc.exe (PID: 1312)
    • Reads the computer name

      • WinRAR.exe (PID: 1044)
      • DiscordChecker.exe (PID: 2140)
      • Launcher.exe (PID: 2940)
      • powershell.exe (PID: 1348)
      • bindc.exe (PID: 1260)
      • Secure System Shell.exe (PID: 2168)
      • Windows Services.exe (PID: 1144)
      • DiscordChecker.exe (PID: 2112)
      • Launcher.exe (PID: 3652)
      • bindc.exe (PID: 2160)
      • bindc.exe (PID: 1312)
      • Launcher.exe (PID: 296)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • WinRAR.exe (PID: 1044)
    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 1044)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1044)
      • Launcher.exe (PID: 2940)
    • Executes PowerShell scripts

      • Launcher.exe (PID: 2940)
    • Creates files in the user directory

      • Launcher.exe (PID: 2940)
      • Explorer.EXE (PID: 740)
    • Creates files in the Windows directory

      • Launcher.exe (PID: 2940)
    • Uses RUNDLL32.EXE to load library

      • Explorer.EXE (PID: 740)
  • INFO

    • Checks Windows Trust Settings

      • powershell.exe (PID: 1348)
    • Reads settings of System Certificates

      • powershell.exe (PID: 1348)
    • Dropped object may contain Bitcoin addresses

      • Launcher.exe (PID: 2940)
    • Manual execution by user

      • DiscordChecker.exe (PID: 2112)
      • NOTEPAD.EXE (PID: 3512)
      • NOTEPAD.EXE (PID: 2572)
      • rundll32.exe (PID: 2904)
    • Checks supported languages

      • NOTEPAD.EXE (PID: 2572)
      • NOTEPAD.EXE (PID: 3512)
      • rundll32.exe (PID: 2904)
      • NOTEPAD.EXE (PID: 2064)
      • NOTEPAD.EXE (PID: 2724)
      • rundll32.exe (PID: 1420)
      • rundll32.exe (PID: 444)
    • Reads the computer name

      • rundll32.exe (PID: 2904)
      • rundll32.exe (PID: 1420)
      • rundll32.exe (PID: 444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
24
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe discordchecker.exe no specs launcher.exe powershell.exe no specs bindc.exe windows services.exe no specs secure system shell.exe no specs runtime explorer.exe no specs runtime explorer.exe no specs runtime explorer.exe no specs searchprotocolhost.exe no specs discordchecker.exe no specs launcher.exe bindc.exe notepad.exe no specs notepad.exe no specs explorer.exe no specs rundll32.exe no specs notepad.exe no specs bindc.exe no specs launcher.exe no specs rundll32.exe no specs rundll32.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Discord Checker by xPolish.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2140"C:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\DiscordChecker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\DiscordChecker.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
2940"C:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\system\Launcher.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\system\Launcher.exe
DiscordChecker.exe
User:
admin
Integrity Level:
HIGH
Description:
Launcher
Exit code:
0
Version:
1.0.0.0
1348"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLauncher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
1260"C:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\system\bindc.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\system\bindc.exe
DiscordChecker.exe
User:
admin
Integrity Level:
HIGH
Description:
DiscordChecker
Exit code:
0
Version:
1.0.0.0
1144"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}C:\Windows\IMF\Windows Services.exeLauncher.exe
User:
admin
Integrity Level:
HIGH
Description:
Windows Services
Version:
1.0.0.0
2168"C:\Windows\IMF\Secure System Shell.exe" C:\Windows\IMF\Secure System Shell.exeWindows Services.exe
User:
admin
Integrity Level:
HIGH
Description:
Secure System Shell
Version:
1.0.0.0
3132"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exeWindows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
3976"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exeWindows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
3820"C:\Windows\IMF\Runtime Explorer.exe" C:\Windows\IMF\Runtime Explorer.exeWindows Services.exe
User:
admin
Company:
Microsoft Windows
Integrity Level:
HIGH
Version:
1.00
Total events
14 610
Read events
14 157
Write events
0
Delete events
0

Modification events

No data
Executable files
18
Suspicious files
8
Text files
4
Unknown types
11

Dropped files

PID
Process
Filename
Type
1044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\xNet.dllexecutable
MD5:BF1F76644BDDD20339548EBACF7A48EB
SHA256:5D9C2B1822BCAA71DDEAA5426D4312D8E174766AE8864C7ADD29D7F44CEA87F2
1348powershell.exeC:\Users\admin\AppData\Local\Temp\rcdpu3ei.dsv.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2940Launcher.exeC:\Windows\IMF\Windows Services.exeexecutable
MD5:AD0CE1302147FBDFECAEC58480EB9CF9
SHA256:2C339B52B82E73B4698A0110CDFE310C00C5C69078E9E1BD6FA1308652BF82A3
1044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\Virus Total\desktop.iniini
MD5:C279803B27F13369AA54FC9B84B72468
SHA256:D80758A34364CAB9DE42FF6ED57BCC753A0936DDDDF9952C5B4FB9FF0D7966C9
2940Launcher.exeC:\Windows\IMF\Runtime Explorer.exeexecutable
MD5:D42C2456EA9DE66A75A29DEA464A4E4D
SHA256:907E7F7E2EE47C955CF315747AB913B591E9046F51C0F3BA9A6EEF696346198E
1044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\DiscordChecker.exeexecutable
MD5:2636325F4E80BD2E2E841A91AC47B514
SHA256:2A9987F4B98D1C1E9351124FE5B8ECD2EEA8E42AF0B9E30097AC5BA34C68C2E5
1044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\system\LICENCE.datcompressed
MD5:F3014A18051F4E596AB95DA9138F6F6B
SHA256:1F84A00808D5ECA122FDE7F20708F272C349FAE1EAA1129B5C694750F2E047D6
1348powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
1044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1044.33086\Discord Checker by xPolish\system\xNet.dllexecutable
MD5:BF1F76644BDDD20339548EBACF7A48EB
SHA256:5D9C2B1822BCAA71DDEAA5426D4312D8E174766AE8864C7ADD29D7F44CEA87F2
2940Launcher.exeC:\Windows\IMF\Secure System Shell.exeexecutable
MD5:7D0C7359E5B2DAA5665D01AFDC98CC00
SHA256:F1ABD5AB03189E82971513E6CA04BD372FCF234D670079888F01CF4ADDD49809
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info