URL:

https://github.com/PyroTheSinner/DISCORD-IP-GRABBER-2024-TESTED-WORKING/blob/main/SINFUL%20IP%20GRABBER.exe

Full analysis: https://app.any.run/tasks/e1047ea1-30e6-4e5b-92fc-fefb199d4bc1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 24, 2024, 17:56:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
evasion
discord
stealer
python
arch-doc
pyinstaller
Indicators:
MD5:

FC83E5D9CFBCC4F3F68472ECD437ED31

SHA1:

5D030355530E1CD5242234C8BF0F208E08338CF1

SHA256:

A2523BE714B02052109FFF8219559ACD46A41C90FE18F83449B637B2B3EAB02D

SSDEEP:

3:N8tEdchusyttsOTERfjcGYUnng0An:2u64sQ2SsfjSN0A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • SINFUL IP GRABBER.exe (PID: 3532)

    • Changes the autorun value in the registry

      • reg.exe (PID: 5000)

    • Steals credentials from Web Browsers

      • SINFUL IP GRABBER.exe (PID: 3532)

  • SUSPICIOUS

    • Process drops python dynamic module

      • SINFUL IP GRABBER.exe (PID: 4872)

    • Executable content was dropped or overwritten

      • SINFUL IP GRABBER.exe (PID: 4872)
      • SINFUL IP GRABBER.exe (PID: 3532)

    • The process drops C-runtime libraries

      • SINFUL IP GRABBER.exe (PID: 4872)

    • Process drops legitimate windows executable

      • SINFUL IP GRABBER.exe (PID: 4872)

    • Application launched itself

      • SINFUL IP GRABBER.exe (PID: 4872)

    • Loads Python modules

      • SINFUL IP GRABBER.exe (PID: 3532)

    • Starts CMD.EXE for commands execution

      • SINFUL IP GRABBER.exe (PID: 3532)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 2744)
      • cmd.exe (PID: 6540)
      • cmd.exe (PID: 6888)
      • cmd.exe (PID: 6896)

    • Accesses product unique identifier via WMI (SCRIPT)

      • WMIC.exe (PID: 5400)
      • WMIC.exe (PID: 6720)
      • WMIC.exe (PID: 7828)
      • WMIC.exe (PID: 6092)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4740)
      • cmd.exe (PID: 4264)

    • Executing commands from a ".bat" file

      • SINFUL IP GRABBER.exe (PID: 3532)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 2092)
      • cmd.exe (PID: 4512)
      • cmd.exe (PID: 5892)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 6316)
      • firefox.exe (PID: 6368)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 6368)

    • Reads the computer name

      • SINFUL IP GRABBER.exe (PID: 4872)
      • SINFUL IP GRABBER.exe (PID: 3532)

    • Checks supported languages

      • SINFUL IP GRABBER.exe (PID: 4872)
      • SINFUL IP GRABBER.exe (PID: 3532)

    • Create files in a temporary directory

      • SINFUL IP GRABBER.exe (PID: 4872)
      • SINFUL IP GRABBER.exe (PID: 3532)

    • The sample compiled with english language support

      • SINFUL IP GRABBER.exe (PID: 4872)

    • The process uses the downloaded file

      • firefox.exe (PID: 6368)

    • Checks operating system version

      • SINFUL IP GRABBER.exe (PID: 3532)

    • Reads the machine GUID from the registry

      • SINFUL IP GRABBER.exe (PID: 3532)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5400)
      • WMIC.exe (PID: 6720)
      • WMIC.exe (PID: 6092)
      • WMIC.exe (PID: 7828)

    • Checks proxy server information

      • SINFUL IP GRABBER.exe (PID: 3532)

    • PyInstaller has been detected (YARA)

      • SINFUL IP GRABBER.exe (PID: 4872)

    • Creates files or folders in the user directory

      • SINFUL IP GRABBER.exe (PID: 3532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
42
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs sinful ip grabber.exe sinful ip grabber.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs cmd.exe no specs conhost.exe no specs netsh.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
556\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"C:\Windows\System32\cmd.exeSINFUL IP GRABBER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2212netsh wlan show profilesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2744C:\WINDOWS\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"C:\Windows\System32\cmd.exeSINFUL IP GRABBER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3364netsh wlan show profilesC:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3532"C:\Users\admin\Downloads\SINFUL IP GRABBER.exe" C:\Users\admin\Downloads\SINFUL IP GRABBER.exe
SINFUL IP GRABBER.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\downloads\sinful ip grabber.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4264C:\WINDOWS\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\admin\AppData\Roaming\empyrean\run.bat /f"C:\Windows\System32\cmd.exeSINFUL IP GRABBER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4512C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles"C:\Windows\System32\cmd.exeSINFUL IP GRABBER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
4668reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4716C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeSINFUL IP GRABBER.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 168
Read events
8 165
Write events
2
Delete events
1

Modification events

(PID) Process:(6368) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4668) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:empyrean
Value:
(PID) Process:(5000) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:empyrean
Value:
C:\Users\admin\AppData\Roaming\empyrean\run.bat
Executable files
97
Suspicious files
187
Text files
73
Unknown types
0

Dropped files

PID
Process
Filename
Type
6368firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin
MD5:
SHA256:
6368firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-walbinary
MD5:7DF99A0AE24008DEBEEB548A5B76DD6A
SHA256:BE756D3C19CA1B4C230583CA014EA7C4C20F527CD0990F4C0BFF1B615C169D0D
6368firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
6368firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.tmpbinary
MD5:3B156E12141F8CBCE9D60CDCE2077617
SHA256:E6287E44B44ABEA20E1B2E3F415D22B9E5E5FBBC155AD9DADBABA63951B2AF6F
6368firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\datareporting\glean\db\data.safe.bindbf
MD5:3B156E12141F8CBCE9D60CDCE2077617
SHA256:E6287E44B44ABEA20E1B2E3F415D22B9E5E5FBBC155AD9DADBABA63951B2AF6F
6368firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\protections.sqlite-journalbinary
MD5:A594B4E70DF68D1A16C51EA1D9CF91FF
SHA256:E387CDB57565290FB9C71E58052040D418635930D14B2EB51A607AF405787156
6368firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
6368firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cert9.dbbinary
MD5:F287F605A82A8933EA9AB71B25876993
SHA256:285BA0268281C4844B3EAA5B460406A3B2945D0DC751E675CF2D109C7B2B55B3
6368firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:297E88D7CEB26E549254EC875649F4EB
SHA256:8B75D4FB1845BAA06122888D11F6B65E6A36B140C54A72CC13DF390FD7C95702
6368firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.binbinary
MD5:C95DDC2B1A525D1A243E4C294DA2F326
SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
101
DNS requests
135
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3040
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
POST
200
95.101.54.131:80
http://r10.o.lencr.org/
unknown
whitelisted
POST
200
142.250.185.163:80
http://o.pki.goog/s/wr3/yvU
unknown
whitelisted
POST
200
2.16.202.121:80
http://r11.o.lencr.org/
unknown
whitelisted
POST
200
142.250.185.163:80
http://o.pki.goog/wr2
unknown
whitelisted
POST
200
142.250.185.163:80
http://o.pki.goog/wr2
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
POST
200
95.101.54.131:80
http://r10.o.lencr.org/
unknown
whitelisted
POST
200
2.16.202.121:80
http://r11.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.209.140:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3040
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3040
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted
140.82.121.3:443
github.com
GITHUB
US
shared

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.23.209.140
  • 2.23.209.189
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.179
whitelisted
google.com
  • 142.250.181.238
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
github.com
  • 140.82.121.3
shared
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup Domain (ipapi .co in DNS lookup)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://github.com/PyroTheSinner/DISCORD-IP-GRABBER-2024-TESTED-WORKING/blob/main/SINFUL%20IP%20GRABBER.exe