File name:

913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe

Full analysis: https://app.any.run/tasks/4e271e58-8225-47ce-978d-4c91f730364d
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: September 23, 2024, 19:42:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealerium
stealer
discordgrabber
generic
ims-api
stormkitty
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2881D62826EB02AC92A022B2155E4007

SHA1:

6F4F17A34A7C0D0511E417440F40EB6094FA7F11

SHA256:

913C27A9D6E08E37F8FEE60C6D5F424D8E220C930071BAEA68390AAA028EBC72

SSDEEP:

98304:RgcNOTFNo4IAKPd88f0j5cmBNj6xQHbdVKfBRl6b/Q7DnSRyrBrl0+JAZCaF7uGu:F+8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALERIUM has been detected (YARA)

      • RegAsm.exe (PID: 4284)

    • STORMKITTY has been detected (YARA)

      • RegAsm.exe (PID: 4284)

    • DISCORDGRABBER has been detected (YARA)

      • RegAsm.exe (PID: 4284)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)

    • Starts CMD.EXE for commands execution

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)
      • cmd.exe (PID: 3952)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 3952)
      • Pen.pif (PID: 6304)

    • Executing commands from a ".bat" file

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)

    • Application launched itself

      • cmd.exe (PID: 3952)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3952)

    • The executable file from the user directory is run by the CMD process

      • Pen.pif (PID: 6304)

    • Process drops legitimate windows executable

      • Pen.pif (PID: 6304)

    • The process creates files with name similar to system file names

      • Pen.pif (PID: 6304)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • RegAsm.exe (PID: 4284)

    • Starts a Microsoft application from unusual location

      • RegAsm.exe (PID: 4284)

    • Connects to unusual port

      • RegAsm.exe (PID: 4284)

  • INFO

    • Reads the computer name

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)
      • Pen.pif (PID: 6304)

    • Checks supported languages

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)
      • Pen.pif (PID: 6304)

    • The process uses the downloaded file

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)

    • Create files in a temporary directory

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)
      • Pen.pif (PID: 6304)

    • Process checks computer location settings

      • 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe (PID: 2492)

    • Reads mouse settings

      • Pen.pif (PID: 6304)

    • Manual execution by a user

      • RegAsm.exe (PID: 4284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

StormKitty

(PID) Process(4284) RegAsm.exe
C2 (1)157.20.182.183
Ports (1)4545
Version1.0.7
Options
AutoRunfalse
Mutexjvdrpixcxfkcdwvr
InstallFolder%PreLoadSQLite_TargetFramework%
Certificates
Cert1MIICMDCCAZmgAwIBAgIVAJn2ThbDYnPCiWYXobiG8VkVu8YTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDE5OUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTTk5SYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMTIxMDExNTE1M1oXDTM0MDkxODExNTE1M1owEDEOMAwGA1UEAwwFTk5SYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_SignaturelctaxAZow0FCSbEBUPYims/j4BGSTgCvC+6sIO3Tmi6U2S66+UPMF+PHjku+50RKnL9PSGDt378W7VGVY8jd92tF2cf6PGkXDdf1VO1OCRocJKbRw8Oq2D4WIHy0BeiAvcTRvcs7Meo3t4Yr+j+9TCbsjVO9kA+29jWIhO4Uoo8=
Keys
AESc77a6137cc69759ecf2fcca159ceb319dd869f8626c0c53a96c47fff7ec3e02a
SaltNNRatByqwqdanchun

ims-api

(PID) Process(4284) RegAsm.exe
Discord-Webhook-Tokens (1)1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM
Discord-Info-Links
1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM
Get Webhook Infohttps://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28672
InitializedDataSize: 4119040
UninitializedDataSize: 16896
EntryPoint: 0x3899
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
7
Malicious processes
1
Suspicious processes
3

Behavior graph

Click at the process to see the details
start 913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs pen.pif choice.exe no specs #STEALERIUM regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\Users\admin\Desktop\913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe" C:\Users\admin\Desktop\913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3952"C:\Windows\System32\cmd.exe" /c move Dressed Dressed.bat & Dressed.batC:\Windows\SysWOW64\cmd.exe
913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
4284C:\Users\admin\AppData\Local\Temp\128101\RegAsm.exe C:\Users\admin\AppData\Local\Temp\128101\RegAsm.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
StormKitty
(PID) Process(4284) RegAsm.exe
C2 (1)157.20.182.183
Ports (1)4545
Version1.0.7
Options
AutoRunfalse
Mutexjvdrpixcxfkcdwvr
InstallFolder%PreLoadSQLite_TargetFramework%
Certificates
Cert1MIICMDCCAZmgAwIBAgIVAJn2ThbDYnPCiWYXobiG8VkVu8YTMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDE5OUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTTk5SYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMTIxMDExNTE1M1oXDTM0MDkxODExNTE1M1owEDEOMAwGA1UEAwwFTk5SYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_SignaturelctaxAZow0FCSbEBUPYims/j4BGSTgCvC+6sIO3Tmi6U2S66+UPMF+PHjku+50RKnL9PSGDt378W7VGVY8jd92tF2cf6PGkXDdf1VO1OCRocJKbRw8Oq2D4WIHy0BeiAvcTRvcs7Meo3t4Yr+j+9TCbsjVO9kA+29jWIhO4Uoo8=
Keys
AESc77a6137cc69759ecf2fcca159ceb319dd869f8626c0c53a96c47fff7ec3e02a
SaltNNRatByqwqdanchun
ims-api
(PID) Process(4284) RegAsm.exe
Discord-Webhook-Tokens (1)1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM
Discord-Info-Links
1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM
Get Webhook Infohttps://discord.com/api/webhooks/1016614786533969920/fMJOOjA1pZqjV8_s0JC86KN9Fa0FeGPEHaEak8WTADC18s5Xnk3vl2YBdVD37L0qTWnM
5160cmd /c copy /b ..\Elderly + ..\Suggests + ..\Wait + ..\Cock + ..\Revolution + ..\Pending + ..\Copyright + ..\Comic + ..\Searching + ..\Carries + ..\Architectural + ..\Ethical + ..\Usb + ..\Known + ..\Experiences + ..\Quebec + ..\Writes + ..\Galleries + ..\Potato + ..\Handheld + ..\Properly + ..\Malta + ..\Autos + ..\Proteins + ..\Opt + ..\Bonds + ..\Adware + ..\Compilation G C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6304Pen.pif G C:\Users\admin\AppData\Local\Temp\128101\Pen.pif
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 3
Modules
Images
c:\users\admin\appdata\local\temp\128101\pen.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6544choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6588\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
678
Read events
678
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
31
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Maltabinary
MD5:4A4919FC37587CF6949156832158576C
SHA256:29E4396940AAEA7157D8755163B4F7B3545406C5C5223D14652216638FF83D00
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Usbvc
MD5:DBD57E07377D2F2D03713355C8A526A2
SHA256:33892E724136D72078B2CF74CBA6B755E9CA8251724EA611F0DEBE423823B447
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Architecturalbinary
MD5:DBF6B9C8DEABB23821028B99E66F94E5
SHA256:7554F86895353261131B1A3FD229DF3327ED561BABA5802EEF457B244A77A838
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Experiencesbinary
MD5:E4DC2149ECF3BF18BFE5D1FB16F88A0D
SHA256:718935BB499928BCBF799BA08B9D49E6441E9254311E2ACCE5CA79E7D81DB4C1
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Eclipsebinary
MD5:B698ECBCC3A86FD40D09A5566558E98D
SHA256:43FFBE18EBB46B2F2EF37CFFFF210AF01A7A019CFEE6458228501ACD2F86F595
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Cockbinary
MD5:C372151930D57E15713A51AF2D7E717B
SHA256:0FCB5D3577DEF516AE8512B99FEEFAB62F8409C3FD2B4B84266AE22B6AC66022
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Adwarebinary
MD5:185060B157DE87C5604F5D17816212FC
SHA256:32525398AAC649A50B0BF08E438805C318649DC793C2469DF5B21CC86658E92D
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Copyrightbinary
MD5:5F0840A6162ED821B763A295816E983C
SHA256:33A0822C7B1783D96FDEEABC5ED083D13983A81E924EB80061C7CACEAD86BFDF
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Compilationbinary
MD5:1C584BD5668EFE9BA9868C5CA2E90926
SHA256:913A7EA7B7357DE6EBB232CB783AA9F1E045D6994E6E3A607079D8D69F5DA96B
2492913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exeC:\Users\admin\AppData\Local\Temp\Carriesbinary
MD5:4E3DDEFAF464A4BFDB35BC3B7F5FAF17
SHA256:6CA3E5E78021C12CCF8E1EE240B410BC1FE1EB8220635C53FCA40B03E0B937D6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
36
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5104
svchost.exe
GET
200
72.246.169.155:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6832
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5104
svchost.exe
72.246.169.155:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4324
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.110
whitelisted
www.microsoft.com
  • 72.246.169.155
whitelisted
ludRwdFpPNExcSjOGep.ludRwdFpPNExcSjOGep
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
913c27a9d6e08e37f8fee60c6d5f424d8e220c930071baea68390aaa028ebc72.exe