Malware analysis Nexus-Discord-Grabber-main.zip Malicious activity

Add for printing

File name:	Nexus-Discord-Grabber-main.zip
Full analysis:	https://app.any.run/tasks/6db80356-4c95-418b-a8e0-219a1ae56837
Verdict:	Malicious activity
Threats:	Exela Stealer is an infostealer malware written in Python. It is capable of collecting a wide range of sensitive information from compromised systems and exfiltrating it to attackers over Discord. It is frequently used to steal browser data, and obtain session files from various applications, including gaming platforms, social media platforms, and messaging apps. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	October 31, 2024, 02:42:01
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc exela stealer evasion discord python
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract, compression method=store
MD5:	4F4E5580D6776BAF372AB215B70F6461
SHA1:	0F5444DE4F3D1452CD03974DB2218F4961FC0A72
SHA256:	AD06ECE5D6FC7FFE21DA143FC272ED2A172C0FEB68309E3055F9B3DCDEC2877D
SSDEEP:	98304:+yKv8RZ/Z1wYkLbtlGwjvJ/wut9M1wCgmK5WlvKvJUQKTUQbOB6xJp2gSHaG87Mr:Y522iAIHq0zZXMQiv+/BRWhH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ExelaStealer has been detected
  - Nexus.exe (PID: 7140)
  - Nexus.exe (PID: 6176)
  - Nexus.exe (PID: 6636)
- Starts NET.EXE to view/add/change user profiles
  - cmd.exe (PID: 6176)
  - net.exe (PID: 1048)
  - net.exe (PID: 4808)
  - net.exe (PID: 944)
  - net.exe (PID: 4340)
  - net.exe (PID: 5284)
  - net.exe (PID: 3732)
  - cmd.exe (PID: 6248)
  - net.exe (PID: 5932)
  - net.exe (PID: 4996)
  - net.exe (PID: 3108)
  - cmd.exe (PID: 4260)
- Starts NET.EXE to view/change users localgroup
  - net.exe (PID: 4676)
  - net.exe (PID: 2816)
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - net.exe (PID: 5240)
  - net.exe (PID: 3860)
  - net.exe (PID: 6352)
  - cmd.exe (PID: 4260)
  - net.exe (PID: 7060)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 7004)
  - powershell.exe (PID: 5616)
  - powershell.exe (PID: 5784)
- Changes powershell execution policy (Bypass)
  - cmd.exe (PID: 1428)
  - cmd.exe (PID: 6308)
  - cmd.exe (PID: 7136)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 6708)
  - Nexus.exe (PID: 4548)
  - Nexus.exe (PID: 7140)
  - Nexus.exe (PID: 6324)
  - Nexus.exe (PID: 1048)
- Starts a Microsoft application from unusual location
  - Nexus.exe (PID: 4548)
  - Nexus.exe (PID: 7140)
  - Nexus.exe (PID: 6324)
  - Nexus.exe (PID: 6176)
  - Nexus.exe (PID: 6636)
  - Nexus.exe (PID: 1048)
- The process drops C-runtime libraries
  - Nexus.exe (PID: 4548)
  - Nexus.exe (PID: 6324)
  - Nexus.exe (PID: 1048)
- Process drops python dynamic module
  - Nexus.exe (PID: 4548)
  - Nexus.exe (PID: 6324)
  - Nexus.exe (PID: 1048)
- Application launched itself
  - Nexus.exe (PID: 4548)
  - cmd.exe (PID: 5980)
  - cmd.exe (PID: 4956)
  - Nexus.exe (PID: 6324)
  - cmd.exe (PID: 6276)
  - cmd.exe (PID: 1440)
  - Nexus.exe (PID: 1048)
  - cmd.exe (PID: 4016)
  - cmd.exe (PID: 2280)
- Loads Python modules
  - Nexus.exe (PID: 7140)
- Executable content was dropped or overwritten
  - Nexus.exe (PID: 4548)
  - Nexus.exe (PID: 7140)
  - csc.exe (PID: 3792)
  - Nexus.exe (PID: 6324)
  - csc.exe (PID: 2588)
  - Nexus.exe (PID: 1048)
  - csc.exe (PID: 4380)
- Starts CMD.EXE for commands execution
  - Nexus.exe (PID: 7140)
  - cmd.exe (PID: 5980)
  - cmd.exe (PID: 4956)
  - cmd.exe (PID: 6276)
  - cmd.exe (PID: 1440)
  - Nexus.exe (PID: 6636)
  - cmd.exe (PID: 4016)
  - cmd.exe (PID: 2280)
  - Nexus.exe (PID: 6176)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 6296)
  - cmd.exe (PID: 5976)
  - cmd.exe (PID: 6424)
  - cmd.exe (PID: 5596)
  - cmd.exe (PID: 6908)
  - cmd.exe (PID: 7060)
- Uses WMIC.EXE to obtain a list of video controllers
  - cmd.exe (PID: 4868)
  - cmd.exe (PID: 4076)
  - cmd.exe (PID: 7100)
- Get information on the list of running processes
  - Nexus.exe (PID: 7140)
  - cmd.exe (PID: 7144)
  - cmd.exe (PID: 1332)
  - cmd.exe (PID: 1880)
  - cmd.exe (PID: 7060)
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 4584)
  - cmd.exe (PID: 1588)
  - Nexus.exe (PID: 6176)
  - cmd.exe (PID: 2588)
  - cmd.exe (PID: 2132)
  - cmd.exe (PID: 6248)
  - Nexus.exe (PID: 6636)
  - cmd.exe (PID: 7032)
  - cmd.exe (PID: 4076)
  - cmd.exe (PID: 6304)
  - cmd.exe (PID: 3700)
  - cmd.exe (PID: 4260)
- Accesses video controller name via WMI (SCRIPT)
  - WMIC.exe (PID: 3732)
- Uses ATTRIB.EXE to modify file attributes
  - cmd.exe (PID: 2816)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 5824)
  - cmd.exe (PID: 7060)
  - cmd.exe (PID: 5196)
  - cmd.exe (PID: 608)
  - cmd.exe (PID: 7056)
  - cmd.exe (PID: 6516)
  - cmd.exe (PID: 6712)
  - cmd.exe (PID: 3156)
  - cmd.exe (PID: 3604)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 5372)
  - cmd.exe (PID: 1428)
  - cmd.exe (PID: 5920)
  - cmd.exe (PID: 6308)
  - cmd.exe (PID: 1160)
  - cmd.exe (PID: 7136)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 6428)
  - cmd.exe (PID: 944)
  - cmd.exe (PID: 6540)
- Starts application with an unusual extension
  - cmd.exe (PID: 3792)
  - cmd.exe (PID: 3728)
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 2576)
  - cmd.exe (PID: 6320)
  - cmd.exe (PID: 3828)
- Uses NETSH.EXE to obtain data on the network
  - cmd.exe (PID: 6568)
  - cmd.exe (PID: 4004)
  - cmd.exe (PID: 3972)
- Uses SYSTEMINFO.EXE to read the environment
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- Checks for external IP
  - Nexus.exe (PID: 7140)
  - svchost.exe (PID: 2172)
  - Nexus.exe (PID: 6176)
- Uses WMIC.EXE to obtain local storage devices information
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- Uses QUSER.EXE to read information about current user sessions
  - query.exe (PID: 5700)
  - query.exe (PID: 1112)
  - query.exe (PID: 4032)
- Uses WMIC.EXE to obtain commands that are run when users log in
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- Process uses IPCONFIG to discover network configuration
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- Uses ROUTE.EXE to obtain the routing table information
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- Process uses ARP to discover network configuration
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- BASE64 encoded PowerShell command has been detected
  - cmd.exe (PID: 1428)
  - cmd.exe (PID: 6308)
  - cmd.exe (PID: 7136)
- Starts SC.EXE for service management
  - cmd.exe (PID: 6176)
  - cmd.exe (PID: 6248)
  - cmd.exe (PID: 4260)
- The process bypasses the loading of PowerShell profile settings
  - cmd.exe (PID: 1428)
  - cmd.exe (PID: 6308)
  - cmd.exe (PID: 7136)
- Base64-obfuscated command line is found
  - cmd.exe (PID: 1428)
  - cmd.exe (PID: 6308)
  - cmd.exe (PID: 7136)
- CSC.EXE is used to compile C# code
  - csc.exe (PID: 3792)
  - csc.exe (PID: 2588)
  - csc.exe (PID: 4380)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6708)
- Manual execution by a user
  - Nexus.exe (PID: 4548)
  - cmd.exe (PID: 2736)
  - upx.exe (PID: 6168)
  - upx.exe (PID: 6964)
  - Nexus.exe (PID: 6324)
  - cmd.exe (PID: 3128)
  - Nexus.exe (PID: 1048)
  - upx.exe (PID: 4568)
  - upx.exe (PID: 6772)
  - upx.exe (PID: 3944)
- The process uses the downloaded file
  - WinRAR.exe (PID: 6708)
- Checks supported languages
  - Nexus.exe (PID: 4548)
  - Nexus.exe (PID: 7140)
- Create files in a temporary directory
  - Nexus.exe (PID: 4548)
  - Nexus.exe (PID: 7140)
- Reads the computer name
  - Nexus.exe (PID: 4548)
- Checks operating system version
  - Nexus.exe (PID: 7140)
  - Nexus.exe (PID: 6636)
  - Nexus.exe (PID: 6176)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 5324)
  - WMIC.exe (PID: 3732)
  - WMIC.exe (PID: 4816)
- The Powershell gets current clipboard
  - powershell.exe (PID: 2140)
  - powershell.exe (PID: 2724)
  - powershell.exe (PID: 4208)
- Changes the display of characters in the console
  - cmd.exe (PID: 3728)
  - cmd.exe (PID: 3792)
  - cmd.exe (PID: 5220)
  - cmd.exe (PID: 2576)
  - cmd.exe (PID: 6320)
  - cmd.exe (PID: 3828)
- Prints a route via ROUTE.EXE
  - ROUTE.EXE (PID: 5172)
  - ROUTE.EXE (PID: 5612)
  - ROUTE.EXE (PID: 6176)
- Attempting to use instant messaging service
  - Nexus.exe (PID: 7140)
  - svchost.exe (PID: 2172)
  - Nexus.exe (PID: 6176)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.xpi	\|	Mozilla Firefox browser extension (66.6)
.zip	\|	ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion:	10
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2024:10:28 17:43:56
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Nexus-Discord-Grabber-main/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

417

Monitored processes

287

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

204

C:\WINDOWS\system32\cmd.exe /c "gdb --version"

C:\Windows\System32\cmd.exe

—

Nexus.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

204

wmic logicaldisk get caption,description,providername

C:\Windows\System32\wbem\WMIC.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

WMI Commandline Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

608

C:\WINDOWS\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\cmd.exe

—

Nexus.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

692

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

764

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

944

net user guest

C:\Windows\System32\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

944

C:\WINDOWS\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"

C:\Windows\System32\cmd.exe

—

Nexus.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll

1048

net user

C:\Windows\System32\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1048

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe" /f

C:\Windows\System32\reg.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Console Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1048

"C:\Users\admin\Desktop\Nexus-Discord-Grabber-main\Nexus.exe"

C:\Users\admin\Desktop\Nexus-Discord-Grabber-main\Nexus.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Exela Services

Exit code:

Version:

10.0.19041.746 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\desktop\nexus-discord-grabber-main\nexus.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

52 811

Read events

52 791

Write events

Delete events

Modification events


(PID) Process:	(6708) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6708) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Nexus-Discord-Grabber-main.zip
(PID) Process:	(6708) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6708) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6708) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6708) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6612) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Exela Update Service
Value: C:\Users\admin\AppData\Local\ExelaUpdateService\Exela.exe
(PID) Process:	(6808) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdHigh
Value: 31140670
(PID) Process:	(6808) TiWorker.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:	write	Name:	SessionIdLow
Value:
(PID) Process:	(4792) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

105

Suspicious files

Text files

146

Unknown types

Dropped files

PID	Process	Filename		Type
6708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6708.35838\Nexus-Discord-Grabber-main\UPX\upx.exe		executable
		MD5:39ECDF78CB357513D1FD565C5E9EDBDD	SHA256:1EA92DA93EEAF4D456114B847B9BDDFB47EF854E7C24143F290D5E3F44973E91
6708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6708.35838\Nexus-Discord-Grabber-main\LICENSE		text
		MD5:F57BA58CDBEB92901C54411F17778ECF	SHA256:61942D31CC5C5791BF214FBAB7DE4649FB4D15D5E058B2646D9FFBF40BFFCAC5
6708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6708.35838\Nexus-Discord-Grabber-main\builder.py		text
		MD5:C334E5C6DBDC27F8E8B48D1DAC286F23	SHA256:27EBC271F47BD76B63B5F3AA36B7F0587F3BD543C9CA5E0E89719DF54EF82F73
6708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6708.35838\Nexus-Discord-Grabber-main\Exela.py		text
		MD5:53D0F2EDF910D03BF6A5B2A2806ADF02	SHA256:FF0B26B330F3BDDC1A9EBA6DAE2BC4F8609FC85592F8F3C6344F2907A7A57CF9
4548	Nexus.exe	C:\Users\admin\AppData\Local\Temp\_MEI45482\_bz2.pyd		executable
		MD5:80C69A1D87F0C82D6C4268E5A8213B78	SHA256:307359F1B2552B60839385EB63D74CBFE75CD5EFDB4E7CD0BB7D296FA67D8A87
4548	Nexus.exe	C:\Users\admin\AppData\Local\Temp\_MEI45482\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
6708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6708.35838\Nexus-Discord-Grabber-main\AssemblyFile\version.txt		text
		MD5:B13F73267D6A3E865A941BF7BB817D19	SHA256:5C7DA4BF53B1EBDA26683C75E5C03D1D062683D4F1AF10DB939BA334787136CF
6708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6708.35838\Nexus-Discord-Grabber-main\Obfuscator\obf.py		text
		MD5:BFBF108641C41832AC8584A6B85960CC	SHA256:2BA721B0F3311123399CFA098502AD53CFA4E8E0FE6CE0DE65ED2C84EA1C1101
4548	Nexus.exe	C:\Users\admin\AppData\Local\Temp\_MEI45482\_cffi_backend.cp311-win_amd64.pyd		executable
		MD5:0F0F1C4E1D043F212B00473A81C012A3	SHA256:FDA255664CBF627CB6A9CD327DAF4E3EB06F4F0707ED2615E86E2E99B422AD0B
6708	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa6708.35838\Nexus-Discord-Grabber-main\README.md		html
		MD5:92F35B73494F790F3CFCC626EDC85A89	SHA256:D3A83FE61CF00C21CB49480037AA455D169A0018858200089B5CA6D2E8D1D095

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3728	SIHClient.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7140	Nexus.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	shared
—	—	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	2.20.245.138:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6176	Nexus.exe	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	shared
—	—	GET	200	208.95.112.1:80	http://ip-api.com/json	unknown	—	—	shared
5488	MoUsoCoreWorker.exe	GET	200	23.32.185.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2776	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	2.23.209.130:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
5488	MoUsoCoreWorker.exe	2.20.245.138:80	crl.microsoft.com	Akamai International B.V.	SE	whitelisted
—	—	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
6944	svchost.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
5488	MoUsoCoreWorker.exe	23.32.185.131:80	www.microsoft.com	AKAMAI-AS	BR	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
www.bing.com	2.23.209.130 2.23.209.133 2.23.209.187 2.23.209.182 2.23.209.149	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
crl.microsoft.com	2.20.245.138 2.20.245.137	whitelisted
www.microsoft.com	23.32.185.131	whitelisted
google.com	142.250.74.206	whitelisted
login.live.com	40.126.32.136 20.190.160.14 40.126.32.138 40.126.32.76 40.126.32.72 20.190.160.20 40.126.32.134 20.190.160.22	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
th.bing.com	2.23.209.187 2.23.209.149 2.23.209.133 2.23.209.130	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
arc.msn.com	20.223.35.26	whitelisted

Threats

PID	Process	Class	Message
2172	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Check (ip-api .com)
7140	Nexus.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup ip-api.com
2172	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2172	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
7140	Nexus.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
7140	Nexus.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2172	svchost.exe	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
2172	svchost.exe	Potentially Bad Traffic	ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
7140	Nexus.exe	Misc activity	ET INFO File Sharing Related Domain in TLS SNI (gofile .io)
7140	Nexus.exe	Misc activity	ET INFO File Sharing Related Domain in TLS SNI (gofile .io)

Add for printing

No debug info

General Info

Nexus-Discord-Grabber-main.zip

4F4E5580D6776BAF372AB215B70F6461

0F5444DE4F3D1452CD03974DB2218F4961FC0A72

AD06ECE5D6FC7FFE21DA143FC272ED2A172C0FEB68309E3055F9B3DCDEC2877D

98304:+yKv8RZ/Z1wYkLbtlGwjvJ/wut9M1wCgmK5WlvKvJUQKTUQbOB6xJp2gSHaG87Mr:Y522iAIHq0zZXMQiv+/BRWhH

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ExelaStealer has been detected

Starts NET.EXE to view/add/change user profiles

Starts NET.EXE to view/change users localgroup

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

The process drops C-runtime libraries

Process drops python dynamic module

Application launched itself

Loads Python modules

Executable content was dropped or overwritten

Starts CMD.EXE for commands execution

Uses WMIC.EXE to obtain computer system information

Uses WMIC.EXE to obtain a list of video controllers

Get information on the list of running processes

Accesses video controller name via WMI (SCRIPT)

Uses ATTRIB.EXE to modify file attributes

Uses WMIC.EXE to obtain Windows Installer data

Starts POWERSHELL.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Starts application with an unusual extension

Uses NETSH.EXE to obtain data on the network

Uses SYSTEMINFO.EXE to read the environment

Checks for external IP

Uses WMIC.EXE to obtain local storage devices information

Uses QUSER.EXE to read information about current user sessions

Uses WMIC.EXE to obtain commands that are run when users log in

Suspicious use of NETSH.EXE

Process uses IPCONFIG to discover network configuration

Uses ROUTE.EXE to obtain the routing table information

Process uses ARP to discover network configuration

BASE64 encoded PowerShell command has been detected

Starts SC.EXE for service management

The process bypasses the loading of PowerShell profile settings

Base64-obfuscated command line is found

CSC.EXE is used to compile C# code

INFO

Executable content was dropped or overwritten

Manual execution by a user

The process uses the downloaded file

Checks supported languages

Create files in a temporary directory

Reads the computer name

Checks operating system version

Reads security settings of Internet Explorer

The Powershell gets current clipboard

Changes the display of characters in the console

Prints a route via ROUTE.EXE

Attempting to use instant messaging service

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Information

Modules

Information

Modules