File name:

steal.exe

Full analysis: https://app.any.run/tasks/6d43659d-8f50-4af2-be96-88ab98c5318c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 01, 2024, 14:33:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
umbralstealer
stealer
discord
discordgrabber
generic
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C9B347A376039E869C9E23D342104FC3

SHA1:

86E9AE4380C63BFFC3DC13288D99EA29CF5AE652

SHA256:

27EA5856CEB25C7BB7C99CF883ECAEE2C7FC7B1E9C595C0E2B18CCEA0DDA1441

SSDEEP:

3072:e1zJQhGjtQmzAvpehGfSdcRCG28CUZa+PqmEnANax5qw24QxY8e11sNeE6cB:zpSdcXW+PYANax5n2a8e1mQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Adds path to the Windows Defender exclusion list

      • steal.exe (PID: 2176)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • steal.exe (PID: 2176)

    • Create files in the Startup directory

      • steal.exe (PID: 2176)

    • Modifies hosts file to block updates

      • steal.exe (PID: 2176)

    • UMBRALSTEALER has been detected (YARA)

      • steal.exe (PID: 2176)

    • DISCORDGRABBER has been detected (YARA)

      • steal.exe (PID: 2176)

    • UMBRALSTEALER has been detected (SURICATA)

      • steal.exe (PID: 2176)

    • Starts CMD.EXE for self-deleting

      • steal.exe (PID: 2176)

    • Actions looks like stealing of personal data

      • steal.exe (PID: 2176)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain Windows Installer data

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads security settings of Internet Explorer

      • steal.exe (PID: 3152)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 2268)
      • WMIC.exe (PID: 3396)
      • WMIC.exe (PID: 6036)

    • Reads the date of Windows installation

      • steal.exe (PID: 3152)

    • Application launched itself

      • steal.exe (PID: 3152)

    • Uses ATTRIB.EXE to modify file attributes

      • steal.exe (PID: 2176)

    • Starts POWERSHELL.EXE for commands execution

      • steal.exe (PID: 2176)

    • Script adds exclusion path to Windows Defender

      • steal.exe (PID: 2176)

    • Script disables Windows Defender's real-time protection

      • steal.exe (PID: 2176)

    • Script disables Windows Defender's IPS

      • steal.exe (PID: 2176)

    • Uses WMIC.EXE to obtain operating system information

      • steal.exe (PID: 2176)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 2932)

    • Uses WMIC.EXE to obtain computer system information

      • steal.exe (PID: 2176)

    • Uses WMIC.EXE to obtain a list of video controllers

      • steal.exe (PID: 2176)

    • Executable content was dropped or overwritten

      • steal.exe (PID: 2176)

    • The process connected to a server suspected of theft

      • steal.exe (PID: 2176)

    • Checks for external IP

      • steal.exe (PID: 2176)
      • steal.exe (PID: 3152)

    • Starts CMD.EXE for commands execution

      • steal.exe (PID: 2176)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 4480)

  • INFO

    • Checks proxy server information

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads the computer name

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Checks supported languages

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads the machine GUID from the registry

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads Environment values

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Disables trace logs

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads the software policy settings

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Process checks computer location settings

      • steal.exe (PID: 3152)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2268)
      • WMIC.exe (PID: 3396)
      • WMIC.exe (PID: 6036)
      • WMIC.exe (PID: 2932)
      • WMIC.exe (PID: 2412)
      • WMIC.exe (PID: 4480)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3976)
      • powershell.exe (PID: 5960)
      • powershell.exe (PID: 5264)
      • powershell.exe (PID: 1912)

    • Create files in a temporary directory

      • steal.exe (PID: 2176)

    • Creates files in the program directory

      • steal.exe (PID: 2176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2053:02:19 18:54:36+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 233472
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x3ae8e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Payload for Umbral Stealer
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
29
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start steal.exe wmic.exe no specs conhost.exe no specs #UMBRALSTEALER steal.exe wmic.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1428\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1912"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2176"C:\Users\admin\AppData\Local\Temp\steal.exe" C:\Users\admin\AppData\Local\Temp\steal.exe
steal.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\steal.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2268"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2404\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2412"wmic.exe" computersystem get totalphysicalmemoryC:\Windows\System32\wbem\WMIC.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2932"wmic.exe" os get CaptionC:\Windows\System32\wbem\WMIC.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
3052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
31 713
Read events
31 691
Write events
22
Delete events
0

Modification events

(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
6
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yp44qrvi.l4j.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_op4u52uq.p0u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5960powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_phcuwt1h.jkp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2176steal.exeC:\Users\admin\AppData\Local\Temp\Ox9G1or6rA1KYOo\Browsers\Cookies\Edge Cookies.txttext
MD5:871FE3AC1630E064B7AA098657F5EABE
SHA256:E0D7792DC70C3ABF1C99956E6BA553B700F8C113A4CB45B355B24FE6814B3C22
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v3qpjv2n.oxn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_girxxqi1.m2i.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2176steal.exeC:\Users\admin\AppData\Local\Temp\San6ZPAhOuFO2gnbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
5264powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cxwshuko.20o.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2176steal.exeC:\Users\admin\AppData\Local\Temp\Ox9G1or6rA1KYOo\Display\Display.pngimage
MD5:8A26C9A02B9CB1A0B830FCAAB5890145
SHA256:55A35DE90AF235B1625C536FD5B89B57F3103187A8E6388BEAA2F8110D749528
5284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bomyrctn.fyq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
60
DNS requests
20
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
3152
steal.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
2176
steal.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
1540
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1832
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
1540
MoUsoCoreWorker.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2176
steal.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
unknown
1832
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2848
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3656
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1540
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3152
steal.exe
172.217.23.99:443
gstatic.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
3152
steal.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2176
steal.exe
172.217.23.99:443
gstatic.com
GOOGLE
US
whitelisted
4656
SearchApp.exe
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
unknown
2176
steal.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown

DNS requests

Domain
IP
Reputation
gstatic.com
  • 172.217.23.99
whitelisted
ip-api.com
  • 208.95.112.1
shared
www.bing.com
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.137
  • 2.23.209.133
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.185
  • 2.23.209.186
  • 2.23.209.189
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.128.233
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2168
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3152
steal.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
3152
steal.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2176
steal.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2176
steal.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2176
steal.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2176
steal.exe
A Network Trojan was detected
STEALER [ANY.RUN] UmbralStealer Generic External IP Check
2168
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2176
steal.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
steal.exe