File name:

Discord_Nitro_Generator.rar

Full analysis: https://app.any.run/tasks/500467f5-fbc0-4c0e-84a5-65244c28cc1d
Verdict: Malicious activity
Threats:

Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class.

Analysis date: December 05, 2022, 16:51:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
orcus
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

03F0492594BF7789309D9195A4CC3226

SHA1:

267B46D62BD2EEC05AA664DF7BF262198A4F1836

SHA256:

3E7436D1BD67FD7EE53F9D537CF6C060233B90F5F1E1EF83406F185A0705ED0D

SSDEEP:

12288:+ACcUcPjdAIrl5cjAvsX20UP8BQdkKUwCKiQGlNbFcd34geeFFVjrX:+5cUkRA8PcjW2zw9UPKilNbFo37eOFVP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Discord_Nitro_Generator.exe (PID: 3716)
      • WindowsInput.exe (PID: 1464)
      • WindowsInput.exe (PID: 3300)
      • Discord_Nitro_Generator.exe (PID: 2760)
      • Discord.exe (PID: 2932)
      • updater.exe (PID: 312)
      • Discord.exe (PID: 3460)
      • updater.exe (PID: 2308)
      • Discord_Nitro_Generator.exe (PID: 2084)
      • Discord_Nitro_Generator.exe (PID: 1756)
      • updater.exe (PID: 3632)
      • updater.exe (PID: 2084)
    • Drops the executable file immediately after the start

      • Discord_Nitro_Generator.exe (PID: 2760)
    • ORCUS was detected

      • Discord.exe (PID: 3460)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Discord_Nitro_Generator.exe (PID: 2760)
    • Starts itself from another location

      • Discord_Nitro_Generator.exe (PID: 2760)
    • Connects to unusual port

      • Discord.exe (PID: 3460)
    • Application launched itself

      • updater.exe (PID: 312)
      • updater.exe (PID: 3632)
  • INFO

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 1592)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
18
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe discord_nitro_generator.exe no specs discord_nitro_generator.exe csc.exe no specs cvtres.exe no specs windowsinput.exe no specs windowsinput.exe no specs #ORCUS discord.exe discord.exe no specs updater.exe no specs updater.exe no specs discord_nitro_generator.exe no specs discord_nitro_generator.exe csc.exe no specs cvtres.exe no specs taskmgr.exe no specs updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1592"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Discord_Nitro_Generator.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\windows\system32\kernel32.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3716"C:\Users\admin\Desktop\Discord_Nitro_Generator.exe" C:\Users\admin\Desktop\Discord_Nitro_Generator.exeExplorer.EXE
User:
admin
Company:
Discord Inc.
Integrity Level:
MEDIUM
Description:
Discord
Exit code:
3221226540
Version:
1.0.9007.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\desktop\discord_nitro_generator.exe
2760"C:\Users\admin\Desktop\Discord_Nitro_Generator.exe" C:\Users\admin\Desktop\Discord_Nitro_Generator.exe
Explorer.EXE
User:
admin
Company:
Discord Inc.
Integrity Level:
HIGH
Description:
Discord
Exit code:
0
Version:
1.0.9007.0
Modules
Images
c:\users\admin\desktop\discord_nitro_generator.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2796"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xpvuljjv.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exeDiscord_Nitro_Generator.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3132C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES5574.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5573.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1464"C:\Windows\system32\WindowsInput.exe" --installC:\Windows\system32\WindowsInput.exeDiscord_Nitro_Generator.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Windows Input
Exit code:
0
Version:
0.1.0
Modules
Images
c:\windows\system32\windowsinput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3300"C:\Windows\system32\WindowsInput.exe"C:\Windows\system32\WindowsInput.exeservices.exe
User:
SYSTEM
Company:
Microsoft
Integrity Level:
SYSTEM
Description:
Windows Input
Version:
0.1.0
Modules
Images
c:\windows\system32\windowsinput.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3460"C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe" C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe
Discord_Nitro_Generator.exe
User:
admin
Company:
Discord Inc.
Integrity Level:
HIGH
Description:
Discord
Version:
1.0.9007.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\discord\app-1.0.9007\resources\bootstrap\discord.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
2932C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exetaskeng.exe
User:
admin
Company:
Discord Inc.
Integrity Level:
HIGH
Description:
Discord
Exit code:
0
Version:
1.0.9007.0
Modules
Images
c:\users\admin\appdata\local\discord\app-1.0.9007\resources\bootstrap\discord.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
312"C:\Users\admin\AppData\Roaming\updater.exe" /launchSelfAndExit "C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe" 3460 /protectFileC:\Users\admin\AppData\Roaming\updater.exeDiscord.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2308
Version:
1.0.0.0
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\roaming\updater.exe
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\lpk.dll
Total events
5 274
Read events
5 210
Write events
64
Delete events
0

Modification events

(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1592) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Discord_Nitro_Generator.rar
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1592) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
6
Suspicious files
0
Text files
10
Unknown types
4

Dropped files

PID
Process
Filename
Type
3408csc.exeC:\Users\admin\AppData\Local\Temp\eig9vgvb.dllexecutable
MD5:2AC0DC4C7A91A069F417FAB98DEA780D
SHA256:74F51CD1F5730F793BB2CCE63F7EAFA70890E07984783FC8E3FDA53AF0FBA160
3460Discord.exeC:\Users\admin\AppData\Roaming\updater.exe.configxml
MD5:A2B76CEA3A59FA9AF5EA21FF68139C98
SHA256:F99EF5BF79A7C43701877F0BB0B890591885BB0A3D605762647CC8FFBF10C839
3132cvtres.exeC:\Users\admin\AppData\Local\Temp\RES5574.tmpo
MD5:A7BC3900ECE7449D180AA2C8132A9C8B
SHA256:58BA143BA87612C8ADAEE1E05AB09DE82D5D3541F1F271EF2A9FE32610F8C5D9
3188cvtres.exeC:\Users\admin\AppData\Local\Temp\RES29CC.tmpo
MD5:319E353CFE685A314E4BAFE9F9FCE69B
SHA256:A4331E4FC00FDF38B40FAE847E124454BD969E7B3BB7D1EA98EF324B65CCE24F
1592WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1592.9886\Discord_Nitro_Generator.exeexecutable
MD5:290C7BD6CF68E292B9676B3758FA3F24
SHA256:40E42E036423620686B00791BC5612B26D6855A2AC77FCBEDE5F20483F7E4291
2760Discord_Nitro_Generator.exeC:\Users\admin\AppData\Local\Temp\xpvuljjv.0.cstext
MD5:A487F25EF335D1C71EC4789E480C09E0
SHA256:A496F3EC024EBF0C48C9E10E4F45A5EB57E72ED6A9055D1584BE0908604BC612
2796csc.exeC:\Users\admin\AppData\Local\Temp\CSC5573.tmpres
MD5:169D4F7F27CCE5B1C6D16B11A13C4D51
SHA256:507D528F523B17A9D7253ADA650E70E03E4F97E3D50DA4AF44F747CCA6E64479
2796csc.exeC:\Users\admin\AppData\Local\Temp\xpvuljjv.dllexecutable
MD5:0FB165FD5A9B9AF870AB54F4CCC5FC92
SHA256:DA0C89AD404AD8E768D7BC4A09335DE5CB4949FB4D4D544470746B8F527A869B
2796csc.exeC:\Users\admin\AppData\Local\Temp\xpvuljjv.outtext
MD5:5686D22C4F53E5A8FD14DC1822FC17CC
SHA256:531C5D1F785F99B41E8E26D55DD82A69303656B45B7A90109729E6B822196836
3460Discord.exeC:\Users\admin\AppData\Roaming\updater.exeexecutable
MD5:913967B216326E36A08010FB70F9DBA3
SHA256:8D880758549220154D2FF4EE578F2B49527C5FB76A07D55237B61E30BCC09E3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
23.205.225.13:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133147328405000000
NL
whitelisted
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4e027e62305cb4c9
US
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
23.205.225.13:80
query.prod.cms.rt.microsoft.com
AKAMAI-AS
DE
unknown
23.216.77.69:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
3460
Discord.exe
79.137.202.126:10134
RU
malicious
79.137.202.126:10134
RU
malicious

DNS requests

Domain
IP
Reputation
query.prod.cms.rt.microsoft.com
  • 23.205.225.13
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info