File name:

testpng.exe

Full analysis: https://app.any.run/tasks/d024cd7f-6e6c-464a-800c-114795068afe
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 19:19:16
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
exfiltration
stealer
evasion
discordrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

98F6E65BE9A95B6A0CCF9A5AACF89DE5

SHA1:

6D4E66094D5E332457D62ED2B9910BC229240D58

SHA256:

23BB32996F7D5E1F33AB05600C29642956EDC6B262304035EFAB73F3B86FEEC9

SSDEEP:

1536:CWvujCuQECZ2Mxb78WwbjVxCahfoKV6+V+Xh2if:mZQrH/wbjJ6E+X8if

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Stealers network behavior

      • testpng.exe (PID: 6504)

    • Attempting to use instant messaging service

      • testpng.exe (PID: 6504)

    • DISCORDRAT has been detected (YARA)

      • testpng.exe (PID: 6504)

  • SUSPICIOUS

    • The process connected to a server suspected of theft

      • testpng.exe (PID: 6504)

    • Checks for external IP

      • testpng.exe (PID: 6504)
      • svchost.exe (PID: 2192)

  • INFO

    • Disables trace logs

      • testpng.exe (PID: 6504)

    • Reads the machine GUID from the registry

      • testpng.exe (PID: 6504)

    • Reads the computer name

      • testpng.exe (PID: 6504)

    • Reads Environment values

      • testpng.exe (PID: 6504)

    • Checks proxy server information

      • testpng.exe (PID: 6504)

    • Checks supported languages

      • testpng.exe (PID: 6504)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2192)
      • testpng.exe (PID: 6504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2084:03:20 18:56:28+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 48
CodeSize: 78336
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Discord rat
FileVersion: 1.0.0.0
InternalName: Discord rat.exe
LegalCopyright: Copyright © 2022
LegalTrademarks: -
OriginalFileName: Discord rat.exe
ProductName: Discord rat
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DISCORDRAT testpng.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
6504"C:\Users\admin\Desktop\testpng.exe" C:\Users\admin\Desktop\testpng.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Discord rat
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\testpng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
3 883
Read events
3 869
Write events
14
Delete events
0

Modification events

(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6504) testpng.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\testpng_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
57
DNS requests
22
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
101
162.159.136.234:443
https://gateway.discord.gg/?v=9&encording=json
unknown
3508
svchost.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3508
svchost.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7016
SIHClient.exe
GET
200
2.23.9.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
3508
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.212.110.187:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
6504
testpng.exe
162.159.133.234:443
gateway.discord.gg
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 23.212.110.187
  • 23.212.110.179
  • 23.212.110.202
  • 23.212.110.171
  • 23.212.110.170
  • 23.212.110.184
  • 23.212.110.185
  • 23.212.110.200
  • 23.212.110.177
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.75
whitelisted
google.com
  • 142.250.181.238
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
gateway.discord.gg
  • 162.159.133.234
  • 162.159.130.234
  • 162.159.134.234
  • 162.159.136.234
  • 162.159.135.234
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.194
  • 23.48.23.141
  • 23.48.23.145
  • 23.48.23.159
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.143
  • 23.48.23.177
  • 23.48.23.173
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 2.23.9.218
whitelisted
discord.com
  • 162.159.128.233
  • 162.159.137.232
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.138.232
whitelisted
geolocation-db.com
  • 159.89.102.253
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Discord
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
Misc activity
ET INFO External IP Lookup Domain (geolocation-db .com) in TLS SNI
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
testpng.exe