analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OpenDiscordHaxx-master.zip

Full analysis: https://app.any.run/tasks/7e82c220-49a2-462c-bd9e-75db5b5e01a9
Verdict: Malicious activity
Analysis date: October 19, 2020, 22:55:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

793E61BCCD714F11D74F663A1BB5A518

SHA1:

A50F08D451EA31301CC5D25DEE27EA8D9B009097

SHA256:

3A1CD8CFE27099E144C0A63E24649E1377E7F7A747D2DEA25F3B43C8772C61DB

SSDEEP:

196608:x292JFP5D52JFuP7RAiU7tOSs8+A+2JFH+uHCmMmw669vkniNDq:xA2vL2OP9DlA+2Ximy1/Dq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • rundll32.exe (PID: 1136)

  • INFO

    • Manual execution by user

      • rundll32.exe (PID: 1136)
      • rundll32.exe (PID: 4004)
      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3568)

    • Changes internet zones settings

      • iexplore.exe (PID: 2492)
      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3568)

    • Application launched itself

      • iexplore.exe (PID: 2492)
      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3568)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2528)
      • iexplore.exe (PID: 2492)
      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3568)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2528)
      • iexplore.exe (PID: 2492)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2492)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2492)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2528)

    • Creates files in the user directory

      • iexplore.exe (PID: 2528)
      • iexplore.exe (PID: 2492)

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 4004)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipFileName: OpenDiscordHaxx-master/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2019:09:09 22:06:16
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe rundll32.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\OpenDiscordHaxx-master.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1136"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\OpenDiscordHaxx-master\OpenDiscordHaxx\Raidbot\Joiner\Join.csC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2492"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=csC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2528"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2492 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4004"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\OpenDiscordHaxx-master\OpenDiscordHaxx\Raidbot\Joiner\Joiner.csC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2244"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2492 CREDAT:78849 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2952"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\OpenDiscordHaxx-master\OpenDiscordHaxx\Raidbot\Joiner\Join.csC:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1724"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2552"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\OpenDiscordHaxx-master\OpenDiscordHaxx\Raidbot\Joiner\Join.csC:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3568"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\OpenDiscordHaxx-master\OpenDiscordHaxx\Tools\Cleaner\Cleaner.csC:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 551
Read events
2 170
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
20
Text files
35
Unknown types
3

Dropped files

PID
Process
Filename
Type
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\BotList\Requests\ModResp.cstext
MD5:009C05797D8D66FB913CA5C60FB3D2B4
SHA256:E3DCE319D5D9499EC1792098589BA179FDD3B99A4B18575479B5173108D1816D
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\App.configxml
MD5:335975BEBFD5E539FE2025FEAFF497E3
SHA256:B0D8835D6D7686426FE217A3407B3CAC3AFFA286CA9F59763C5594DB76264F72
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\BotList\Requests\List\BasicBotInfo.cstext
MD5:4EDDD64857A221149254BC357E178568
SHA256:91292C858D4CDBAAC38416B98EA291B83E7B34585C013DCE36F667763334106C
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\BotList\Requests\List\ListAction.cstext
MD5:764CF6ECC3EDAAB2F0861B088310FB24
SHA256:4A6B2C99885A7BA23DC936140E4DF74CFF9A5CF53AC048B26E3A5FC1210829F4
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\BotList\Requests\BotRequest.cstext
MD5:562EA8FBAB57D7C97A11D45C30557A49
SHA256:2565F3BB91AAEE238B5AB75F5BCAE9E843AF796A21FECAF7A8CBEB4A3DFC6B3D
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\BotList\Requests\Token.cstext
MD5:B76AA81C2816976548500D31EA63D65B
SHA256:2EC93A55F932D21E54A01D45BEF01897104C5075CA31BC532DC5B97B190129BD
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx.slntext
MD5:2B39EE3EE7D31BBDCDEC7013974963C1
SHA256:4935092A8C0267CF8305B593FC7B5E638ECB7C93FE02CD06D3E5E7BA1107CB79
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\Changelog.mdtext
MD5:FB3D23D507B110219ADF3F626C1A7272
SHA256:9B6470958BDC90CBA389B6B0ABB9050B895F221B1BCBB608180F3CB76328397F
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\BotList\Requests\DiscordImage.cstext
MD5:81C6074B7F485E2252C99C5FDB6E16A5
SHA256:F0F5CEC77AA7E37A7A274B058FCA4F1F3ADEEB02E57F1A6A504BA1BC20EEDF28
116WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa116.47677\OpenDiscordHaxx-master\OpenDiscordHaxx\BotList\Requests\Profile\GuildInfo.cstext
MD5:15322551E55F7CD7ED643B7AB37B5517
SHA256:AE38D356F5455E8771BDEA94658C1BDB7C080CD273F6B34B117D055F2754D39B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
17
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2528
iexplore.exe
GET
301
2.16.186.24:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=cs
unknown
whitelisted
2528
iexplore.exe
GET
302
104.109.95.91:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=cs
NL
whitelisted
2528
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2528
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2492
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2528
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2492
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2492
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2528
iexplore.exe
2.16.186.24:80
shell.windows.com
Akamai International B.V.
whitelisted
2528
iexplore.exe
104.109.95.91:80
go.microsoft.com
Akamai International B.V.
NL
unknown
2528
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2492
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.109.95.91
whitelisted
shell.windows.com
  • 2.16.186.24
  • 2.16.186.27
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
2528
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2528
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OpenDiscordHaxx-master.zip