analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Discord Tokens Generator.zip

Full analysis: https://app.any.run/tasks/6e33a61b-b5dc-45fc-bd73-87a364639964
Verdict: Malicious activity
Analysis date: October 20, 2020, 03:16:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B1B310BB23492228FEC2352927E3B6EE

SHA1:

14E28A28A5D67562B145EB34012A98769D69F654

SHA256:

95E4FF61B8BD20F5FB6B4A445F59503447926B30BB886C6335FE3339002AE1A1

SSDEEP:

393216:Xz6wDVoaHjC9xH2/qX3e4dt4BQDP6Ew/1p21vys:Xz6wDnHm9xWUpHAkU/1p+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Discord Tokens Generator.exe (PID: 2584)
      • Discord Tokens Generator.exe (PID: 3620)

    • Actions looks like stealing of personal data

      • Discord Tokens Generator.exe (PID: 2584)

    • Loads dropped or rewritten executable

      • Discord Tokens Generator.exe (PID: 2584)

  • SUSPICIOUS

    • Application launched itself

      • Discord Tokens Generator.exe (PID: 3620)

    • Loads Python modules

      • Discord Tokens Generator.exe (PID: 2584)

    • Creates files in the user directory

      • Discord Tokens Generator.exe (PID: 2584)

    • Starts CMD.EXE for commands execution

      • Discord Tokens Generator.exe (PID: 2584)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3260)
      • Discord Tokens Generator.exe (PID: 3620)

  • INFO

    • Manual execution by user

      • notepad.exe (PID: 3904)
      • cmd.exe (PID: 2928)
      • chrome.exe (PID: 3876)
      • NOTEPAD.EXE (PID: 3192)
      • cmd.exe (PID: 1876)
      • NOTEPAD.EXE (PID: 1204)

    • Reads settings of System Certificates

      • Discord Tokens Generator.exe (PID: 2584)
      • chrome.exe (PID: 3596)

    • Reads the hosts file

      • chrome.exe (PID: 3876)
      • chrome.exe (PID: 3596)

    • Application launched itself

      • chrome.exe (PID: 3876)

    • Dropped object may contain Bitcoin addresses

      • Discord Tokens Generator.exe (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Discord Tokens Generator.exe
ZipUncompressedSize: 15862039
ZipCompressedSize: 15573797
ZipCRC: 0xfe490d13
ZipModifyDate: 2020:10:05 10:29:01
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
50
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winrar.exe discord tokens generator.exe discord tokens generator.exe cmd.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs notepad.exe no specs chrome.exe no specs cmd.exe no specs notepad.exe no specs chrome.exe no specs cmd.exe no specs notepad.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3260"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Discord Tokens Generator.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3620"C:\Users\admin\AppData\Local\Temp\Rar$EXa3260.15810\Discord Tokens Generator.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3260.15810\Discord Tokens Generator.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
2584"C:\Users\admin\AppData\Local\Temp\Rar$EXa3260.15810\Discord Tokens Generator.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3260.15810\Discord Tokens Generator.exe
Discord Tokens Generator.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
4294967295
3132C:\Windows\system32\cmd.exe /c title ThisEsteb - Discord Tokens Generator - 0 TokensC:\Windows\system32\cmd.exeDiscord Tokens Generator.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3876"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2576"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f70a9d0,0x6f70a9e0,0x6f70a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3872"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3548 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3112"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,1031986387425097470,12622182521222023346,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17834590419946212576 --mojo-platform-channel-handle=1020 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3596"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,1031986387425097470,12622182521222023346,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=11526999282667165897 --mojo-platform-channel-handle=1600 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3736"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,1031986387425097470,12622182521222023346,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1427887784047350096 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 895
Read events
1 675
Write events
0
Delete events
0

Modification events

No data
Executable files
76
Suspicious files
163
Text files
1 089
Unknown types
6

Dropped files

PID
Process
Filename
Type
3260WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3260.15810\Discord Tokens Generator.exeexecutable
MD5:37195F745437208103E331C64DA5B908
SHA256:33081DD31F8712B1255F910C58B01F68E8BA1B20F9B7174B1459BEF807F2A4B3
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_raw_cfb.cp38-win32.pydexecutable
MD5:D26D006C35E1F37C8ACA392787521B4F
SHA256:E6B6959B7104B86D80C47E0D538077D8705043431EC4DAE61471543533E16FA4
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Hash\_BLAKE2b.cp38-win32.pydexecutable
MD5:578E8F078926F5DECFC3A9C943621DE2
SHA256:764CE76589515870DC1037DF974CF65F552393DEB88E646D3E937F32D1E35ED8
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_raw_des.cp38-win32.pydexecutable
MD5:302449E8BAA408E6A6E218B324383D33
SHA256:F6DDF25D9A4A3EB86293BB6E849E515D4BEEA49908E281AE1B286CAAAD514E7C
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_raw_aesni.cp38-win32.pydexecutable
MD5:5D5C1BC6C74C7C83F27BA9C8C6638863
SHA256:53D8A935D07BC307692EB1AF1369C62E7AA051224178344270C6A2003394B67B
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_raw_cast.cp38-win32.pydexecutable
MD5:6BFCD7F209C7D3E2168EEC0354E90B51
SHA256:F526A4F1EAD0C2FAC0565830731A28B8B006CECEE809BDAFAD3A39A17A26BC39
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_raw_ctr.cp38-win32.pydexecutable
MD5:37424FF388C6236FEE06022A44FD3BF9
SHA256:FCE59443A5468B292100E19C30D093DB33F1DB5C032A265AF0944DF388DC62AD
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_raw_arc2.cp38-win32.pydexecutable
MD5:81F04220BF3B7B779BFAD8C0FE2C38DE
SHA256:6980DA95392C9B334B41757C0D19A95B8CABFA2608E64ADBA0838A852A2CB5D6
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_ARC4.cp38-win32.pydexecutable
MD5:FC1EF85BCF1D44DB6D32192EDAF931F4
SHA256:DB4284303E94A682101C2C5FB73DD35405EB04AA7392E34429263547CF5B83B2
3620Discord Tokens Generator.exeC:\Users\admin\AppData\Local\Temp\_MEI36202\Crypto\Cipher\_Salsa20.cp38-win32.pydexecutable
MD5:D60C062852DDF6117AB9764DEC4BC50D
SHA256:9A77AB2C8BFEE75F572B22BFF1ACE6A0E96D6C2969F38164B541B4266A35773B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
70
DNS requests
44
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3596
chrome.exe
216.58.211.110:443
play.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.20.110:443
clients2.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.17.34:443
adservice.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
216.58.208.99:443
www.gstatic.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.168.238:443
apis.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
216.58.208.110:443
ogs.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
216.58.214.14:443
consent.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
172.217.17.36:443
www.google.com
Google Inc.
US
whitelisted
3596
chrome.exe
216.58.214.13:443
accounts.google.com
Google Inc.
US
suspicious
3596
chrome.exe
216.58.214.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
discord.com
  • 162.159.135.232
whitelisted
clientservices.googleapis.com
  • 172.217.17.35
whitelisted
accounts.google.com
  • 216.58.214.13
shared
www.google.com
  • 172.217.17.36
whitelisted
fonts.googleapis.com
  • 216.58.214.10
whitelisted
www.gstatic.com
  • 216.58.208.99
whitelisted
fonts.gstatic.com
  • 216.58.211.99
whitelisted
apis.google.com
  • 172.217.168.238
whitelisted
ogs.google.com
  • 216.58.208.110
whitelisted
consent.google.com
  • 216.58.214.14
shared

Threats

PID
Process
Class
Message
3596
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Known External IP Lookup Service Domain in SNI
3596
chrome.exe
Potential Corporate Privacy Violation
ET POLICY Known External IP Lookup Service Domain in SNI
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Discord Tokens Generator.zip