analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Discord-Raider-main.zip

Full analysis: https://app.any.run/tasks/74dc18dd-0368-4ef9-8633-f728e6366381
Verdict: Malicious activity
Analysis date: January 24, 2022, 19:57:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

49656D49A0CAAEC41151033A1D04FE29

SHA1:

48A10073D2EE5E99D679E8AA47EF1F6A18E8C22C

SHA256:

341163C1067E7518FD358889B534C6A0A3B55157913AC7E7FE3B61696CA00898

SSDEEP:

49152:WEgpquMXtukJ7lR6qGdlk8b1oQqz+4pJQqP1zTiTR4EWlXHVfEhy2J3Y2ptXHEAl:wAjVZHG51MnvQATiTeNVYy2Jo2vn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 2844)
      • Explorer.EXE (PID: 1656)
      • DiscordRaider.exe (PID: 3672)
      • DiscordRaider.exe (PID: 3788)

    • Application was dropped or rewritten from another process

      • DiscordRaider.exe (PID: 3672)
      • DiscordRaider.exe (PID: 3788)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3204)
      • DiscordRaider.exe (PID: 3672)
      • DiscordRaider.exe (PID: 3788)

    • Checks supported languages

      • WinRAR.exe (PID: 3204)
      • DiscordRaider.exe (PID: 3672)
      • DiscordRaider.exe (PID: 3788)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3204)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3204)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3204)

    • Creates files in the user directory

      • Explorer.EXE (PID: 1656)

    • Reads Environment values

      • DiscordRaider.exe (PID: 3672)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • Explorer.EXE (PID: 1656)
      • WinRAR.exe (PID: 3204)

    • Reads settings of System Certificates

      • DiscordRaider.exe (PID: 3672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:03:29 12:09:28
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Discord-Raider-main/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs explorer.exe no specs discordraider.exe discordraider.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3204"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Discord-Raider-main.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2844"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe3_ Global\UsGthrCtrlFltPipeMssGthrPipe3 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
1656C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3672"C:\Users\admin\Desktop\Discord-Raider-main\DiscordRaider.exe" C:\Users\admin\Desktop\Discord-Raider-main\DiscordRaider.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Discord Raider By Extensions
Version:
1.0.0.0
3788"C:\Users\admin\Desktop\Discord-Raider-main\DiscordRaider.exe" C:\Users\admin\Desktop\Discord-Raider-main\DiscordRaider.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Discord Raider By Extensions
Version:
1.0.0.0
Total events
13 869
Read events
13 630
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
0
Text files
5
Unknown types
2

Dropped files

PID
Process
Filename
Type
1656Explorer.EXEC:\Users\admin\Desktop\syus.txttext
MD5:E12ED8DD103EF8DCD2907B60EE51C11B
SHA256:6BFB5BED5DA200C4C0162E94569F3FDAD89FA9FC37DDC0AB88C9FA4F28E05646
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.39544\syus.txttext
MD5:E12ED8DD103EF8DCD2907B60EE51C11B
SHA256:6BFB5BED5DA200C4C0162E94569F3FDAD89FA9FC37DDC0AB88C9FA4F28E05646
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.39544\Discord-Raider-main\RaidAPI.dllexecutable
MD5:CB32F0166833761B9009C32DC122964E
SHA256:F3C37C3D71573368F463F053E6B5A90C5073DCE79559C8975E12E010E1FB5836
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.39544\Discord-Raider-main\README.mdtext
MD5:04B81692C02EF9EFE3B94536AE70B508
SHA256:ED39BD8E777F36710500C25B530E0B244B23067BC9EEF46FA7A4379F88990163
1656Explorer.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\syus.txt.lnklnk
MD5:5C1336EA9C273AA5919D2100EDE157EE
SHA256:A3615813B44E54B0275E15D8711B9D580A149C33F3D29981070F4C80CBD3F59D
3672DiscordRaider.exeC:\Users\admin\AppData\Local\DiscordRaider\DiscordRaider.exe_Url_hk3t2fmcv0vtext221uv2bkjuefulmg4\1.0.0.0\tim2vmkp.newcfgxml
MD5:BDD2442197A9FDD6096766006A39E2D9
SHA256:F3C7403F75F7EF7EF2B2BD2E422AD456FBC861E84C70FBDFA12DE3670186480F
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.39544\Discord-Raider-main\Discord.Net.WebSocket.dllexecutable
MD5:B1C42560370899C48A9607C34B84A498
SHA256:B2440A1938B9EE0E44499AD2FCE68DB0D35C0A51BCFC46CC44D9EE102363A9F6
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.39544\Discord-Raider-main\Discord.Net.Core.dllexecutable
MD5:D00FE9035E5936A65AD44D819CA7B392
SHA256:F812A1DA84B579BE1032ACB06F13546220E1D26B79D9008659B5B4694353045D
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.39544\Discord-Raider-main\System.Collections.Immutable.dllexecutable
MD5:D8203AEDAABEAC1E606CD0E2AF397D01
SHA256:2F05A2C489C2D30A6CCA346D4CE184323D70EB4F5AFA6BED34D5800274444E57
3204WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3204.39544\Discord-Raider-main\DiscordRaider.exeexecutable
MD5:FB3C872971149DE7FA850448B879DECC
SHA256:E2767833CA54642BDF51CDCF8E453DBB91C24050B18C97B20B9C744E5E26E7DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
137
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3672
DiscordRaider.exe
162.159.130.233:443
discordapp.com
Cloudflare Inc
shared
162.159.130.233:443
discordapp.com
Cloudflare Inc
shared
162.159.129.233:443
discordapp.com
Cloudflare Inc
shared
3672
DiscordRaider.exe
162.159.135.233:443
discordapp.com
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
discordapp.com
  • 162.159.130.233
  • 162.159.129.233
  • 162.159.135.233
  • 162.159.133.233
  • 162.159.134.233
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Discord-Raider-main.zip