File name:

steal.exe

Full analysis: https://app.any.run/tasks/6d43659d-8f50-4af2-be96-88ab98c5318c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: July 01, 2024, 14:33:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
umbralstealer
stealer
discord
discordgrabber
generic
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

C9B347A376039E869C9E23D342104FC3

SHA1:

86E9AE4380C63BFFC3DC13288D99EA29CF5AE652

SHA256:

27EA5856CEB25C7BB7C99CF883ECAEE2C7FC7B1E9C595C0E2B18CCEA0DDA1441

SSDEEP:

3072:e1zJQhGjtQmzAvpehGfSdcRCG28CUZa+PqmEnANax5qw24QxY8e11sNeE6cB:zpSdcXW+PYANax5n2a8e1mQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Adds path to the Windows Defender exclusion list

      • steal.exe (PID: 2176)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • steal.exe (PID: 2176)

    • DISCORDGRABBER has been detected (YARA)

      • steal.exe (PID: 2176)

    • UMBRALSTEALER has been detected (YARA)

      • steal.exe (PID: 2176)

    • Create files in the Startup directory

      • steal.exe (PID: 2176)

    • Modifies hosts file to block updates

      • steal.exe (PID: 2176)

    • UMBRALSTEALER has been detected (SURICATA)

      • steal.exe (PID: 2176)

    • Starts CMD.EXE for self-deleting

      • steal.exe (PID: 2176)

    • Actions looks like stealing of personal data

      • steal.exe (PID: 2176)

  • SUSPICIOUS

    • Uses WMIC.EXE to obtain Windows Installer data

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads security settings of Internet Explorer

      • steal.exe (PID: 3152)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 2268)
      • WMIC.exe (PID: 3396)
      • WMIC.exe (PID: 6036)

    • Reads the date of Windows installation

      • steal.exe (PID: 3152)

    • Application launched itself

      • steal.exe (PID: 3152)

    • Starts POWERSHELL.EXE for commands execution

      • steal.exe (PID: 2176)

    • Uses ATTRIB.EXE to modify file attributes

      • steal.exe (PID: 2176)

    • Script disables Windows Defender's IPS

      • steal.exe (PID: 2176)

    • Script adds exclusion path to Windows Defender

      • steal.exe (PID: 2176)

    • Script disables Windows Defender's real-time protection

      • steal.exe (PID: 2176)

    • Executable content was dropped or overwritten

      • steal.exe (PID: 2176)

    • Uses WMIC.EXE to obtain computer system information

      • steal.exe (PID: 2176)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 2932)

    • Uses WMIC.EXE to obtain operating system information

      • steal.exe (PID: 2176)

    • Uses WMIC.EXE to obtain a list of video controllers

      • steal.exe (PID: 2176)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 4480)

    • Checks for external IP

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Starts CMD.EXE for commands execution

      • steal.exe (PID: 2176)

    • The process connected to a server suspected of theft

      • steal.exe (PID: 2176)

  • INFO

    • Checks supported languages

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads the computer name

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads the machine GUID from the registry

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Checks proxy server information

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads Environment values

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Disables trace logs

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads the software policy settings

      • steal.exe (PID: 3152)
      • steal.exe (PID: 2176)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 2268)
      • WMIC.exe (PID: 3396)
      • WMIC.exe (PID: 2932)
      • WMIC.exe (PID: 2412)
      • WMIC.exe (PID: 6036)
      • WMIC.exe (PID: 4480)

    • Process checks computer location settings

      • steal.exe (PID: 3152)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3976)
      • powershell.exe (PID: 5960)
      • powershell.exe (PID: 1912)
      • powershell.exe (PID: 5264)

    • Creates files in the program directory

      • steal.exe (PID: 2176)

    • Create files in a temporary directory

      • steal.exe (PID: 2176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2053:02:19 18:54:36+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 233472
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x3ae8e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Payload for Umbral Stealer
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
29
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start steal.exe wmic.exe no specs conhost.exe no specs #UMBRALSTEALER steal.exe wmic.exe no specs conhost.exe no specs attrib.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1428\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1912"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITYC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2176"C:\Users\admin\AppData\Local\Temp\steal.exe" C:\Users\admin\AppData\Local\Temp\steal.exe
steal.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\steal.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2268"wmic.exe" csproduct get uuidC:\Windows\System32\wbem\WMIC.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2404\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2412"wmic.exe" computersystem get totalphysicalmemoryC:\Windows\System32\wbem\WMIC.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2932"wmic.exe" os get CaptionC:\Windows\System32\wbem\WMIC.exesteal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
3052\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
31 713
Read events
31 691
Write events
22
Delete events
0

Modification events

(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3152) steal.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\steal_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
6
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
3976powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_op4u52uq.p0u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2176steal.exeC:\WINDOWS\System32\drivers\etc\hoststext
MD5:2992FEB95030E84DE4A6D2F432E17E5F
SHA256:5E9F7AAADDAD64848ADC44BD44DE1FFE3E69DFCCDEFF29B58067A7F313EABD2D
2176steal.exeC:\Users\admin\AppData\Local\Temp\San6ZPAhOuFO2gnbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
3976powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:E572D4BEA2ED4B410435212D3D83372A
SHA256:1DFC15AA5779FDB095A515CA731C057FE0F5E65A8854AE626EC2222CAE19E33B
2176steal.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CrUe2.screxecutable
MD5:C9B347A376039E869C9E23D342104FC3
SHA256:27EA5856CEB25C7BB7C99CF883ECAEE2C7FC7B1E9C595C0E2B18CCEA0DDA1441
2176steal.exeC:\Users\admin\AppData\Local\Temp\egSjYV3FEL5bLoVbinary
MD5:09A22B1BCD9725DF5B3591EBBD2CEBD6
SHA256:4F81904A9B06C58572A0E5769B3B4FFB99E7BD4BE88EE8C2B64A804F483D9DC6
5960powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_phcuwt1h.jkp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5960powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0h4gqenw.qjk.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2176steal.exeC:\Users\admin\AppData\Local\Temp\IzHJLWtEFRI6LUIbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
2176steal.exeC:\Users\admin\AppData\Local\Temp\Ox9G1or6rA1KYOo\Browsers\Cookies\Edge Cookies.txttext
MD5:871FE3AC1630E064B7AA098657F5EABE
SHA256:E0D7792DC70C3ABF1C99956E6BA553B700F8C113A4CB45B355B24FE6814B3C22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
60
DNS requests
20
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3152
steal.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
2176
steal.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
unknown
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
2176
steal.exe
GET
200
208.95.112.1:80
http://ip-api.com/json/?fields=225545
unknown
unknown
1540
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1832
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
1540
MoUsoCoreWorker.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1832
SIHClient.exe
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2848
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3656
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1540
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3152
steal.exe
172.217.23.99:443
gstatic.com
GOOGLE
US
whitelisted
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
3152
steal.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
2176
steal.exe
172.217.23.99:443
gstatic.com
GOOGLE
US
whitelisted
4656
SearchApp.exe
2.23.209.187:443
www.bing.com
Akamai International B.V.
GB
unknown
2176
steal.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown

DNS requests

Domain
IP
Reputation
gstatic.com
  • 172.217.23.99
whitelisted
ip-api.com
  • 208.95.112.1
shared
www.bing.com
  • 2.23.209.187
  • 2.23.209.130
  • 2.23.209.137
  • 2.23.209.133
  • 2.23.209.135
  • 2.23.209.140
  • 2.23.209.185
  • 2.23.209.186
  • 2.23.209.189
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.75
  • 20.190.159.4
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.128.233
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2168
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
3152
steal.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
3152
steal.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2176
steal.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
2176
steal.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2176
steal.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2176
steal.exe
A Network Trojan was detected
STEALER [ANY.RUN] UmbralStealer Generic External IP Check
2168
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2176
steal.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
steal.exe