File name:	Rattle.exe
Full analysis:	https://app.any.run/tasks/0f7c1461-1b59-4611-a13e-cc1de8c1c112
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 19, 2025, 22:38:18
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	uac pyinstaller susp-powershell discordgrabber generic stealer ims-api upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 10 sections
MD5:	505EA6AD5A7FCFC0F07628EF63A94542
SHA1:	FC915F5D63568FB69F4EAF5A3B486C261A5252FA
SHA256:	4AB943562558F968C658E82D89665A28CEF86BAB9BACA03F5588365AF679050D
SSDEEP:	98304:Of39MQrNOzhJ8QKCt7bm6GpJ0SDaF9XLDbenkuA83wpYp2twLb163At/pDuKFd7Z:OV4ZoO8YNW49rjfnm

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2025:06:19 22:35:24+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware, No debug
PEType:	PE32+
LinkerVersion:	2.44
CodeSize:	80384
InitializedDataSize:	118784
UninitializedDataSize:	15872
EntryPoint:	0x12ff
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows GUI
FileVersionNumber:	10.0.26100.3323
ProductVersionNumber:	10.0.26100.3323
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Microsoft® Group Policy Update Utility
FileVersion:	10.0.26100.3323 (WinBuild.160101.0800)
InternalName:	GPUpdate.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	GPUpdate.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.26100.3323


(PID) Process:	(3924) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	write	Name:	DelegateExecute
Value:
(PID) Process:	(7056) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7056) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(7056) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(7056) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2216) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2216) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell\open
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2216) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings\shell
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(2216) reg.exe	Key:	HKEY_CLASSES_ROOT\ms-settings
Operation:	delete key	Name:	(default)
Value:

PID	Process	Filename		Type
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_bz2.pyd		executable
		MD5:0C13627F114F346604B0E8CBC03BAF29	SHA256:DF1E666B55AAE6EDE59EF672D173BD0D64EF3E824A64918E081082B8626A5861
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_hashlib.pyd		executable
		MD5:596DF8ADA4B8BC4AE2C2E5BBB41A6C2E	SHA256:54348CFBF95FD818D74014C16343D9134282D2CF238329EEC2CDA1E2591565EC
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_queue.pyd		executable
		MD5:FBBBFBCDCF0A7C1611E27F4B3B71079E	SHA256:699C1F0F0387511EF543C0DF7EF81A13A1CFFDE4CE4CD43A1BAF47A893B99163
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\api-ms-win-core-console-l1-1-0.dll		executable
		MD5:9F746F4F7D845F063FEA3C37DCEBC27C	SHA256:88ACE577A9C51061CB7D1A36BABBBEFA48212FADC838FFDE98FDFFF60DE18386
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_socket.pyd		executable
		MD5:4351D7086E5221398B5B78906F4E84AC	SHA256:A0FA25EEF91825797F01754B7D7CF5106E355CF21322E926632F90AF01280ABE
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_lzma.pyd		executable
		MD5:8D9E1BB65A192C8446155A723C23D4C5	SHA256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_ctypes.pyd		executable
		MD5:38FB83BD4FEBED211BD25E19E1CAE555	SHA256:CD31AF70CBCFE81B01A75EBEB2DE86079F4CBE767B75C3B5799EF8B9F0392D65
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_sqlite3.pyd		executable
		MD5:D678600C8AF1EEEAA5D8C1D668190608	SHA256:D6960F4426C09A12488EB457E62506C49A58D62A1CB16FBC3AE66B260453C2ED
4884	Rattle.exe	C:\Users\admin\AppData\Local\Temp\_MEI48842\_ssl.pyd		executable
		MD5:156B1FA2F11C73ED25F63EE20E6E4B26	SHA256:A9B5F6C7A94FB6BFAF82024F906465FF39F9849E4A72A98A9B03FC07BF26DA51

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	POST	—	20.190.160.64:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted
—	—	POST	—	20.190.160.64:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted
—	—	POST	—	40.126.32.134:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted
—	—	GET	—	142.250.186.163:443	https://gstatic.com/generate_204	unknown	—	—	—
—	—	GET	—	142.250.186.163:443	https://gstatic.com/generate_204	unknown	—	—	—
—	—	POST	—	40.126.32.134:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted
—	—	GET	—	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	—	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	—	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
—	—	GET	—	142.250.186.163:443	https://gstatic.com/generate_204	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
2368	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5944	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6024	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2336	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
436	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.32.74 40.126.32.72 20.190.160.17 20.190.160.3 20.190.160.22 20.190.160.132 20.190.160.67 20.190.160.65	whitelisted
gstatic.com	142.250.184.195	whitelisted
nexusrules.officeapps.live.com	52.111.229.19	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
x1.c.lencr.org	23.209.209.135 69.192.161.44	whitelisted

General Info

Rattle.exe

505EA6AD5A7FCFC0F07628EF63A94542

FC915F5D63568FB69F4EAF5A3B486C261A5252FA

4AB943562558F968C658E82D89665A28CEF86BAB9BACA03F5588365AF679050D

98304:Of39MQrNOzhJ8QKCt7bm6GpJ0SDaF9XLDbenkuA83wpYp2twLb163At/pDuKFd7Z:OV4ZoO8YNW49rjfnm

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

Bypass User Account Control (Modify registry)

Bypass User Account Control (ComputerDefaults)

Adds path to the Windows Defender exclusion list

Antivirus name has been found in the command line (generic signature)

Changes Windows Defender settings

Changes Controlled Folder Access settings

Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)

Changes settings for checking scripts for malicious actions

Changes settings for reporting to Microsoft Active Protection Service (MAPS)

Changes settings for real-time protection

Changes settings for sending potential threat samples to Microsoft servers

Changes settings for protection against network attacks (IPS)

Resets Windows Defender malware definitions to the base version

Steals Growtopia credentials and data (YARA)

DISCORDGRABBER has been detected (YARA)

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Process drops python dynamic module

Executable content was dropped or overwritten

The process drops C-runtime libraries

Application launched itself

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Changes default file association

Found strings related to reading or modifying Windows Defender settings

Uses WEVTUTIL.EXE to query events from a log or log file

Script disables Windows Defender's IPS

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Possible usage of Discord/Telegram API has been detected (YARA)

Script disables Windows Defender's real-time protection

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads security settings of Internet Explorer

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

PyInstaller has been detected (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Reads the software policy settings

Checks proxy server information

UPX packer has been detected

Malware configuration

ims-api

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information