File name:

stealer.jar

Full analysis: https://app.any.run/tasks/6efd2f8b-ae9f-4a3a-bc84-78b8265e648f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 18, 2024, 12:46:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
java
github
stealer
arch-doc
telegram
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

731AE0B07A89E036A18B5712D6E7FA87

SHA1:

3A896A1CB7A97C2C27EBD5B3D16ED6A97E6D66D5

SHA256:

6F157EA5C641D0BA2EE6E010969B981B35CF20BCA7A73835A369CD7B34914465

SSDEEP:

196608:vs5ieDSFFjIVA4wN+F2+bQZMhBW3Vd5Nv0Ii4:05ioSFFcV+OvkChI3VRG4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • javaw.exe (PID: 6540)

    • Steals credentials from Web Browsers

      • javaw.exe (PID: 6540)

  • SUSPICIOUS

    • Get information on the list of running processes

      • javaw.exe (PID: 6540)

    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 6540)

    • Executable content was dropped or overwritten

      • javaw.exe (PID: 6540)

    • Starts process via Powershell

      • powershell.exe (PID: 6228)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4132)

    • Uses WMIC.EXE to obtain a list of video controllers

      • javaw.exe (PID: 6540)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 3172)
      • WMIC.exe (PID: 5788)
      • WMIC.exe (PID: 1684)
      • WMIC.exe (PID: 4708)

    • Uses WMIC.EXE to obtain CPU information

      • javaw.exe (PID: 6540)

    • Uses WMIC.EXE to obtain operating system information

      • javaw.exe (PID: 6540)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • javaw.exe (PID: 6540)

  • INFO

    • Checks supported languages

      • javaw.exe (PID: 6540)

    • Reads the machine GUID from the registry

      • javaw.exe (PID: 6540)

    • Application based on Java

      • javaw.exe (PID: 6540)

    • Create files in a temporary directory

      • javaw.exe (PID: 6540)

    • Reads the computer name

      • javaw.exe (PID: 6540)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6228)

    • Creates files or folders in the user directory

      • javaw.exe (PID: 6540)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 3172)
      • WMIC.exe (PID: 6240)
      • WMIC.exe (PID: 6188)
      • WMIC.exe (PID: 5788)
      • WMIC.exe (PID: 3792)
      • WMIC.exe (PID: 1684)
      • WMIC.exe (PID: 6012)
      • WMIC.exe (PID: 4052)
      • WMIC.exe (PID: 6188)
      • WMIC.exe (PID: 4708)
      • WMIC.exe (PID: 540)
      • WMIC.exe (PID: 6628)

    • Attempting to use instant messaging service

      • javaw.exe (PID: 6540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.jar | Java Archive (56.8)
.zip | ZIP compressed archive (15.6)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0808
ZipCompression: Deflated
ZipModifyDate: 2024:11:06 22:01:44
ZipCRC: 0xaaa26c92
ZipCompressedSize: 716
ZipUncompressedSize: 1543
ZipFileName: org/apache/commons/codec/language/bm/Rule$1.class/
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
218
Monitored processes
97
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start javaw.exe icacls.exe no specs conhost.exe no specs tasklist.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs svchost.exe hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs wmic.exe no specs conhost.exe no specs hostname.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
540wmic cpu get nameC:\Windows\System32\wbem\WMIC.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
1064hostnameC:\Windows\System32\HOSTNAME.EXEjavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\hostname.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
1200\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHOSTNAME.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHOSTNAME.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWMIC.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1684wmic path win32_VideoController get nameC:\Windows\System32\wbem\WMIC.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ucrtbase.dll
1704\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHOSTNAME.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2076hostnameC:\Windows\System32\HOSTNAME.EXEjavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Hostname APP
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\hostname.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\napinsp.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeHOSTNAME.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 092
Read events
16 092
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
7
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6540javaw.exeC:\Users\admin\AppData\Local\Microsoft\DESKTOP-JGLLJLD\Browsers\Microsoft Edge\password.txt
MD5:
SHA256:
6540javaw.exeC:\Users\admin\AppData\Local\Microsoft\Java.exeexecutable
MD5:E196B4514FF1B6AE871D59F2DA80508E
SHA256:FB6822D5B7FB08F14086C54E0B2B05F634DC8EA42F523E7FA9F2059F1F9E3FB8
6540javaw.exeC:\Users\admin\AppData\Local\Temp\edge_tempfile.dbbinary
MD5:95FFD778940E6DF4846B0B12C8DD5821
SHA256:21A2DEBD389DB456465DFEFFDB15F0AF3FBC46F007CBA67513A13EB10D14E94F
6540javaw.exeC:\Users\admin\AppData\Local\Temp\tempfile.dbbinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
6540javaw.exeC:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c8061.timestamptext
MD5:0B25281CC8DC1397ADFBDFE7739B793A
SHA256:FE586A3905A97074A5A4C5160A4D3E5786C5E25DDA99C30E1E6F56E5717F0B59
6540javaw.exeC:\Users\admin\AppData\Local\Temp\jna-92668751\jna1947326527787690215.dllexecutable
MD5:719D6BA1946C25AA61CE82F90D77FFD5
SHA256:69C45175ECFD25AF023F96AC0BB2C45E6A95E3BA8A5A50EE7969CCAB14825C44
6228powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_edltgipc.ma3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6540javaw.exeC:\Users\admin\AppData\Local\Microsoft\DESKTOP-JGLLJLD\Game\craftrise.txttext
MD5:C4E084CD947C96A0B82B02C634540789
SHA256:C926A5B9148DEECB9084D03187B9297B501296DE20F87DB2B689066C3FBB34D2
6228powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:AE3958ED25CF945106322C9E87130A8B
SHA256:E1CF277C5034F357140D5265260A73FE25AEBF0D6BE0BDDE842D854F1EAE0309
6540javaw.exeC:\Users\admin\AppData\Local\Microsoft\DESKTOP-JGLLJLD.zipcompressed
MD5:746AC3B6A147CEB8584AC9672E9A13EF
SHA256:3C390D86FF734D213B5D1BFD370552A82F3AA2EAA426D09172B95145A702B1A7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
42
DNS requests
24
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4804
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4804
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5092
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2.23.209.143:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2356
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2356
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.143
  • 2.23.209.140
  • 2.23.209.139
  • 2.23.209.141
  • 2.23.209.149
  • 2.23.209.142
  • 2.23.209.144
  • 2.23.209.137
  • 2.23.209.136
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.76
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.74
  • 40.126.32.133
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
github.com
  • 140.82.121.4
shared
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
shared

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
2192
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
6540
javaw.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
6540
javaw.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
2192
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
6540
javaw.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
6540
javaw.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6540
javaw.exe
Misc activity
ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
6540
javaw.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
stealer.jar