File name: | Discord_Nitro_Generator.rar |
Full analysis: | https://app.any.run/tasks/500467f5-fbc0-4c0e-84a5-65244c28cc1d |
Verdict: | Malicious activity |
Threats: | Orcus is a modular Remote Access Trojan with some unusual functions. This RAT enables attackers to create plugins using a custom development library and offers a robust core feature set that makes it one of the most dangerous malicious programs in its class. |
Analysis date: | December 05, 2022, 16:51:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 03F0492594BF7789309D9195A4CC3226 |
SHA1: | 267B46D62BD2EEC05AA664DF7BF262198A4F1836 |
SHA256: | 3E7436D1BD67FD7EE53F9D537CF6C060233B90F5F1E1EF83406F185A0705ED0D |
SSDEEP: | 12288:+ACcUcPjdAIrl5cjAvsX20UP8BQdkKUwCKiQGlNbFcd34geeFFVjrX:+5cUkRA8PcjW2zw9UPKilNbFo37eOFVP |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1592 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Discord_Nitro_Generator.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
3716 | "C:\Users\admin\Desktop\Discord_Nitro_Generator.exe" | C:\Users\admin\Desktop\Discord_Nitro_Generator.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Discord Inc. Integrity Level: MEDIUM Description: Discord Exit code: 3221226540 Version: 1.0.9007.0 Modules
| |||||||||||||||
2760 | "C:\Users\admin\Desktop\Discord_Nitro_Generator.exe" | C:\Users\admin\Desktop\Discord_Nitro_Generator.exe | Explorer.EXE | ||||||||||||
User: admin Company: Discord Inc. Integrity Level: HIGH Description: Discord Exit code: 0 Version: 1.0.9007.0 Modules
| |||||||||||||||
2796 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xpvuljjv.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | — | Discord_Nitro_Generator.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
3132 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES5574.tmp" "c:\Users\admin\AppData\Local\Temp\CSC5573.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.5003 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
1464 | "C:\Windows\system32\WindowsInput.exe" --install | C:\Windows\system32\WindowsInput.exe | — | Discord_Nitro_Generator.exe | |||||||||||
User: admin Company: Microsoft Integrity Level: HIGH Description: Windows Input Exit code: 0 Version: 0.1.0 Modules
| |||||||||||||||
3300 | "C:\Windows\system32\WindowsInput.exe" | C:\Windows\system32\WindowsInput.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Integrity Level: SYSTEM Description: Windows Input Version: 0.1.0 Modules
| |||||||||||||||
3460 | "C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe" | C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe | Discord_Nitro_Generator.exe | ||||||||||||
User: admin Company: Discord Inc. Integrity Level: HIGH Description: Discord Version: 1.0.9007.0 Modules
| |||||||||||||||
2932 | C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe | — | taskeng.exe | |||||||||||
User: admin Company: Discord Inc. Integrity Level: HIGH Description: Discord Exit code: 0 Version: 1.0.9007.0 Modules
| |||||||||||||||
312 | "C:\Users\admin\AppData\Roaming\updater.exe" /launchSelfAndExit "C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe" 3460 /protectFile | C:\Users\admin\AppData\Roaming\updater.exe | — | Discord.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 2308 Version: 1.0.0.0 Modules
|
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Discord_Nitro_Generator.rar | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1592) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2760 | Discord_Nitro_Generator.exe | C:\Users\admin\AppData\Local\Temp\xpvuljjv.cmdline | text | |
MD5:B027F611E2AE055D71EE2343625C4B44 | SHA256:70EC0C3E5F81FFCC3203D457E3E80D5F817ADBBB25FDF989415FC55EDBABCD19 | |||
3132 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES5574.tmp | o | |
MD5:A7BC3900ECE7449D180AA2C8132A9C8B | SHA256:58BA143BA87612C8ADAEE1E05AB09DE82D5D3541F1F271EF2A9FE32610F8C5D9 | |||
1592 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1592.9886\Discord_Nitro_Generator.exe | executable | |
MD5:290C7BD6CF68E292B9676B3758FA3F24 | SHA256:40E42E036423620686B00791BC5612B26D6855A2AC77FCBEDE5F20483F7E4291 | |||
2760 | Discord_Nitro_Generator.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9007\resources\bootstrap\Discord.exe | executable | |
MD5:290C7BD6CF68E292B9676B3758FA3F24 | SHA256:40E42E036423620686B00791BC5612B26D6855A2AC77FCBEDE5F20483F7E4291 | |||
2796 | csc.exe | C:\Users\admin\AppData\Local\Temp\xpvuljjv.out | text | |
MD5:5686D22C4F53E5A8FD14DC1822FC17CC | SHA256:531C5D1F785F99B41E8E26D55DD82A69303656B45B7A90109729E6B822196836 | |||
1756 | Discord_Nitro_Generator.exe | C:\Users\admin\AppData\Local\Temp\eig9vgvb.0.cs | text | |
MD5:2D3862170DF3AA072DEC08166F34DB0E | SHA256:1D3FEBBFDF03D8A3DCD69557ACFD63E618C3E1DAB3607CAB328EE198465A5571 | |||
3408 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC29CB.tmp | res | |
MD5:2D610645E2C0FE4C5F5F278C9A410AF1 | SHA256:FBE9D9BD9CA5F85963DC234A49FB171E628E4353EB5E92C4C19769756DDC7BCD | |||
2760 | Discord_Nitro_Generator.exe | C:\Users\admin\AppData\Local\Temp\xpvuljjv.0.cs | text | |
MD5:A487F25EF335D1C71EC4789E480C09E0 | SHA256:A496F3EC024EBF0C48C9E10E4F45A5EB57E72ED6A9055D1584BE0908604BC612 | |||
3188 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RES29CC.tmp | o | |
MD5:319E353CFE685A314E4BAFE9F9FCE69B | SHA256:A4331E4FC00FDF38B40FAE847E124454BD969E7B3BB7D1EA98EF324B65CCE24F | |||
2796 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC5573.tmp | res | |
MD5:169D4F7F27CCE5B1C6D16B11A13C4D51 | SHA256:507D528F523B17A9D7253ADA650E70E03E4F97E3D50DA4AF44F747CCA6E64479 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 23.205.225.13:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133147328405000000 | NL | — | — | whitelisted |
— | — | GET | 200 | 23.216.77.69:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4e027e62305cb4c9 | US | compressed | 61.4 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3460 | Discord.exe | 79.137.202.126:10134 | — | — | RU | malicious |
— | — | 79.137.202.126:10134 | — | — | RU | malicious |
— | — | 23.216.77.69:80 | ctldl.windowsupdate.com | Akamai International B.V. | DE | suspicious |
— | — | 23.205.225.13:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | DE | unknown |
Domain | IP | Reputation |
---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |