File name:

install2.exe

Full analysis: https://app.any.run/tasks/15eb2bb2-aff9-40e7-8fe0-0774a35e09af
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 07, 2024, 18:58:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
telegram
ims-api
generic
discordgrabber
stealer
antivm
ip-check
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5:

E38EDD674F3DD8B7C0A679D40702282C

SHA1:

1398CBA8332DA3E9C8238D43AAD018EC40770B89

SHA256:

67A549ACC82BB89265859EBFA67FAB003EB43884F847E754BC0A8CA631CA3C1C

SSDEEP:

98304:tQBbAQTc0xTXKGixfzeRqeSfh4XAd2l4pOMcL8TBvUiPHL1zn0bTmZ4sFt1X2CB7:82zDHGpauoHfSYH0w4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DISCORDGRABBER has been detected (YARA)

      • test.exe (PID: 6128)

  • SUSPICIOUS

    • Process drops python dynamic module

      • install2.exe (PID: 4824)
      • install2.exe (PID: 2092)

    • The process drops C-runtime libraries

      • install2.exe (PID: 4824)
      • install2.exe (PID: 2092)

    • Process drops legitimate windows executable

      • install2.exe (PID: 4824)
      • install2.exe (PID: 2092)

    • Executable content was dropped or overwritten

      • install2.exe (PID: 4824)
      • install2.exe (PID: 2092)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • test.exe (PID: 6128)

    • There is functionality for VM detection (VMWare)

      • test.exe (PID: 6128)

    • There is functionality for VM detection (VirtualBox)

      • test.exe (PID: 6128)

    • There is functionality for VM detection (antiVM strings)

      • test.exe (PID: 6128)

    • There is functionality for VM detection (Parallels)

      • test.exe (PID: 6128)

    • There is functionality for capture public ip (YARA)

      • test.exe (PID: 6128)

    • Application launched itself

      • test.exe (PID: 6956)

    • Starts CMD.EXE for commands execution

      • test.exe (PID: 1448)
      • test.exe (PID: 1168)
      • test.exe (PID: 3324)
      • test.exe (PID: 6360)
      • test.exe (PID: 7028)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 6796)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 5728)
      • cmd.exe (PID: 5136)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2224)
      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 964)

    • Checks for external IP

      • test.exe (PID: 1448)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • test.exe (PID: 6956)

  • INFO

    • Checks supported languages

      • install2.exe (PID: 4824)
      • test.exe (PID: 6128)

    • Create files in a temporary directory

      • install2.exe (PID: 4824)

    • Manual execution by a user

      • install2.exe (PID: 2092)

    • Checks operating system version

      • test.exe (PID: 1448)

    • Attempting to use instant messaging service

      • test.exe (PID: 6956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:05:04 07:34:28+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, No debug
PEType: PE32+
LinkerVersion: 2.41
CodeSize: 109568
InitializedDataSize: 7417856
UninitializedDataSize: 65024
EntryPoint: 0x10f6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
34
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start install2.exe THREAT test.exe no specs install2.exe test.exe test.exe test.exe no specs test.exe no specs test.exe no specs test.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
812taskkill /f /im opera.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
964C:\WINDOWS\system32\cmd.exe /c "taskkill /f /im browser.exe"C:\Windows\System32\cmd.exetest.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
1076taskkill /f /im msedge.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1168"C:\Users\admin\AppData\Local\Temp\onefile_2092_133728011169190944\test.exe" "--multiprocessing-fork" "parent_pid=6956" "pipe_handle=684"C:\Users\admin\AppData\Local\Temp\onefile_2092_133728011169190944\test.exetest.exe
User:
admin
Integrity Level:
HIGH
Exit code:
65536
Modules
Images
c:\users\admin\appdata\local\temp\onefile_2092_133728011169190944\test.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1312\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448"C:\Users\admin\AppData\Local\Temp\onefile_2092_133728011169190944\test.exe" "--multiprocessing-fork" "parent_pid=6956" "pipe_handle=676"C:\Users\admin\AppData\Local\Temp\onefile_2092_133728011169190944\test.exe
test.exe
User:
admin
Integrity Level:
HIGH
Exit code:
65536
Modules
Images
c:\users\admin\appdata\local\temp\onefile_2092_133728011169190944\test.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1772\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1808taskkill /f /im opera.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
6 730
Read events
6 730
Write events
0
Delete events
0

Modification events

No data
Executable files
44
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\_ctypes.pydexecutable
MD5:9B344F8D7CE5B57E397A475847CC5F66
SHA256:B1214D7B7EFD9D4B0F465EC3463512A1CBC5F59686267030F072E6CE4B2A95CF
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\_elementtree.pydexecutable
MD5:4CAB6106384975779645325B65737800
SHA256:C2DCBEAFD39F8134DCB15A51F825035F71B6E956CD13A2745C00626253148B5E
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\_lzma.pydexecutable
MD5:0C7EA68CA88C07AE6B0A725497067891
SHA256:F74AAF0AA08CF90EB1EB23A474CCB7CB706B1EDE7F911DAF7AE68480765BDF11
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\_decimal.pydexecutable
MD5:692C751A1782CC4B54C203546F238B73
SHA256:C70F05F6BC564FE400527B30C29461E9642FB973F66EEC719D282D3D0B402F93
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\_bz2.pydexecutable
MD5:A62207FC33140DE460444E191AE19B74
SHA256:EBCAC51449F323AE3AE961A33843029C34B6A82138CCD9214CF99F98DD2148C2
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\_sqlite3.pydexecutable
MD5:FFB03C18ED0F340FE9D86ABAA9EEF835
SHA256:1D4E17237A10B68D16634FC9698EDF342B40478D92FA15D574D212C7A44B05BB
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\_queue.pydexecutable
MD5:06248702A6CD9D2DD20C0B1C6B02174D
SHA256:AC177CD84C12E03E3A68BCA30290BC0B8F173EEE518EF1FA6A9DCE3A3E755A93
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\libcrypto-1_1.dllexecutable
MD5:9D7A0C99256C50AFD5B0560BA2548930
SHA256:9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\pyexpat.pydexecutable
MD5:48E6930E3095F5A2DCF9BAA67098ACFB
SHA256:C1ED7017CE55119DF27563D470E7DC3FB29234A7F3CD5FC82D317B6FE559300B
4824install2.exeC:\Users\admin\AppData\Local\Temp\onefile_4824_133728010904317028\libffi-8.dllexecutable
MD5:0F8E4992CA92BAAF54CC0B43AACCCE21
SHA256:EFF52743773EB550FCC6CE3EFC37C85724502233B6B002A35496D828BD7B280A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
6
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2280
svchost.exe
GET
200
23.7.139.93:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
23.7.139.93:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2280
svchost.exe
23.7.139.93:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
2120
MoUsoCoreWorker.exe
23.7.139.93:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
shared
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
shared
2280
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.microsoft.com
  • 23.7.139.93
whitelisted
google.com
  • 142.251.39.110
whitelisted
ipinfo.io
  • 34.117.59.81
shared
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
1448
test.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6956
test.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
install2.exe