analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

DiscordHaxx%202.0%20[BETA].rar

Full analysis: https://app.any.run/tasks/eba5cc92-0a69-4721-bc1a-8715c7f2002a
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: March 31, 2020, 00:55:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
asyncrat
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

6E065FEC1314D3D902A8085B63D67D5D

SHA1:

1D74A48AAB769A15F7858AC156A20F0A92E383E3

SHA256:

70CA1705ABD840271C73D4A250D4EF04852D2357F535D11479927C34A9843B02

SSDEEP:

6144:c4V7cW0JE3AuZnBBbEq5gtgNt6ysSdA/uzW9mr1iwjpssSe9i4JJlpmGJCl55qoI:/J3AeB9IJSwgW9Eiwf9iK0NRp5jtA92O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DiscordHaxx 2.0.exe (PID: 2692)
      • supremedeluxfnhax.exe (PID: 392)
    • ASYNCRAT was detected

      • supremedeluxfnhax.exe (PID: 392)
    • Changes the autorun value in the registry

      • DiscordHaxx 2.0.exe (PID: 2692)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • DiscordHaxx 2.0.exe (PID: 2692)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3376)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 3100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe explorer.exe no specs discordhaxx 2.0.exe cmd.exe no specs timeout.exe no specs #ASYNCRAT supremedeluxfnhax.exe

Process information

PID
CMD
Path
Indicators
Parent process
3376"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3100"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2692"C:\Users\admin\AppData\Local\Temp\Rar$EXa3376.47177\DiscordHaxx 2.0 [BETA]\DiscordHaxx 2.0.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3376.47177\DiscordHaxx 2.0 [BETA]\DiscordHaxx 2.0.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.0.0.0
2552cmd /c ""C:\Users\admin\AppData\Local\Temp\tmpF351.tmp.bat""C:\Windows\system32\cmd.exeDiscordHaxx 2.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1248timeout 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
392"C:\Users\admin\AppData\Local\Temp\supremedeluxfnhax.exe" C:\Users\admin\AppData\Local\Temp\supremedeluxfnhax.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Total events
527
Read events
491
Write events
0
Delete events
0

Modification events

No data
Executable files
14
Suspicious files
0
Text files
17
Unknown types
0

Dropped files

PID
Process
Filename
Type
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\DiscordHaxx 2.0.exeexecutable
MD5:3F90D104BD845098B4DA83B72F78D68D
SHA256:BFCAD598B3D75684181E340C22589E780500D7D9B6AF4F777D46ADA90EBB7786
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\Newtonsoft.Json.dllexecutable
MD5:D827DD8A8C4B2A2CFA23C7F90F3CCE95
SHA256:B66749B81E1489FCD8D754B2AD39EBE0DB681344E392A3F49DC9235643BDBD06
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\Information\README.txttext
MD5:F6CD338F09657291879605F44F78A7A3
SHA256:B6505D14BE249D624BB044EE2563F284D77C52B56FFE00BE5167CB1FFDE25479
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3376.47177\DiscordHaxx 2.0 [BETA]\DiscordHaxx 2.0.exeexecutable
MD5:3F90D104BD845098B4DA83B72F78D68D
SHA256:BFCAD598B3D75684181E340C22589E780500D7D9B6AF4F777D46ADA90EBB7786
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\Themes\Flame.dhttext
MD5:974545594C3AC93B4EFDAB095728DC09
SHA256:5FFAFE8238C26B98E8447D929E42A5FAE1BFD155560942FD19F287FC2381A787
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\DHSettings.dllexecutable
MD5:BA04E959B6071B4749A08A29EFF2FE9D
SHA256:BEECF1CED20C97A41986BB5EEC8435D8299E884F194A1FE148CB2299C27EA7F7
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3376.47177\DiscordHaxx 2.0 [BETA]\DHSettings.dllexecutable
MD5:BA04E959B6071B4749A08A29EFF2FE9D
SHA256:BEECF1CED20C97A41986BB5EEC8435D8299E884F194A1FE148CB2299C27EA7F7
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\Themes\Icons\AppleTheme.icoimage
MD5:4EDE8EFF1669E9F4B8889B4DF77F8A0C
SHA256:755CBD5E30832A4AD32CCB211794BD9AD2900909CF2075F6F262C65F3FF7E893
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\TokenGrabber.binexecutable
MD5:FAB9ED6DE6C7579B5C3D3798042A9FDB
SHA256:C14CB0E81F3584BEA99E33610F369EE8DEE89BFDAED34C12A331891B93CB8B2D
3376WinRAR.exeC:\Users\admin\AppData\Local\Temp\d1956062-4486-4042-95fd-2dd79266ae58\Vestris.ResourceLib.dllexecutable
MD5:64E9CB25AEEFEEBA3BB579FB1A5559BC
SHA256:34CAB594CE9C9AF8E12A6923FC16468F5B87E168777DB4BE2F04DB883C1DB993
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
392
supremedeluxfnhax.exe
86.173.137.217:80
British Telecommunications PLC
GB
unknown

DNS requests

No data

Threats

No threats detected
No debug info