File name: | Discord Nitro Generator.exe |
Full analysis: | https://app.any.run/tasks/107fdf43-217b-48c8-b75b-c418c3c185a5 |
Verdict: | Malicious activity |
Threats: | Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. |
Analysis date: | August 12, 2022, 21:14:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (console) Intel 80386, for MS Windows |
MD5: | 1A8B9184423147F1763393DD787E53BC |
SHA1: | 753A53BB19CE2A6F0649201A54486D7917558C74 |
SHA256: | E059A20A8AE8EBC72A6A07053FC1660C7D19068E1BE9861B9E903F57F00EF7F4 |
SSDEEP: | 98304:R4VjU7lipgJ7dm9NQyyDbkzt2imV/lValU9qwdYi/gjVwQlg8U:uV/pgJRm9h5t27VdVvFYygjlg |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
.vxd | | | VXD Driver (0.2) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | 1 |
OSVersion: | 5.1 |
EntryPoint: | 0x6c7650 |
UninitializedDataSize: | 4096 |
InitializedDataSize: | 1358336 |
CodeSize: | 738816 |
LinkerVersion: | 2.3 |
PEType: | PE32 |
TimeStamp: | 2022:08:12 20:27:48+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_CUI |
Compilation Date: | 12-Aug-2022 18:27:48 |
TLS Callbacks: | 3 callback(s) detected. |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 11 |
Time date stamp: | 12-Aug-2022 18:27:48 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000B44E8 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0 |
.data | 0x000B6000 | 0x0004C45C | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00103000 | 0x0000DFC0 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0 |
.eh_fram\xc8\xbd\x03 | 0x00111000 | 0x0003BDC8 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0 |
.bss | 0x0014D000 | 0x00000F00 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x0014E000 | 0x00000BD0 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.CRT | 0x0014F000 | 0x00000034 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.tls | 0x00150000 | 0x00000008 | 0x00000000 | IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.k<_n | 0x00151000 | 0x001A3E7D | 0x00000000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 0 |
.PeOd | 0x002F5000 | 0x00000378 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.297299 |
KERNEL32.dll |
msvcrt.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3488 | "C:\Users\admin\AppData\Local\Temp\Discord Nitro Generator.exe" | C:\Users\admin\AppData\Local\Temp\Discord Nitro Generator.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
Arkei(PID) Process(3488) Discord Nitro Generator.exe Strings (0) Options URL markerhello BotNettrue Version53.6 C2 (2)https://t.me/albaniaestates https://c.im/@banza4ker | |||||||||||||||
213336 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Discord Nitro Generator.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
Arkei(PID) Process(213336) AppLaunch.exe Strings (0) Options URL markerhello BotNettrue Version53.6 C2 (2)https://t.me/albaniaestates https://c.im/@banza4ker |
PID | Process | Filename | Type | |
---|---|---|---|---|
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D | binary | |
MD5:22D7718FB8E6E7D4B50DD08CBDC5C02E | SHA256:D83D7CB19157169F874CEFEFA10E06F13D49093AC98C93CAE0A52EB94670709A | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | der | |
MD5:377F0621034125C7B5052E9B7A33AA4F | SHA256:39831141DA93CAF997E77D6C1AA88EBDE0400D4BB4476C2CD55BDB0C3A0962C9 | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:688E94F26E0D088227CB0BE50BDE0E98 | SHA256:A3F3804D49A1AA0CAB0E59FDB6228BF6F564578A919BD4F66F97C9E1EFA4A49E | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | der | |
MD5:731961DEA42A253E0D50F88E7C104352 | SHA256:BDEF2FB73CC39298479BC53D1B3EE1BE54B0E940A7F3150E85031F9B1FA61324 | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | binary | |
MD5:9E3B81A5FB0E2D9D019A0E9E7D4AD9E5 | SHA256:96388DEFC251A353F9D37AABC76896305F784E8CED84DCF1CFF5A1813CF2C89A | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\738FBC066DBD9E6001113366624890A3_53C5D34017BDB72400155AC2819BA60D | der | |
MD5:E275929BB5995D6A1DF5C4F61793469C | SHA256:E804B9A8D031656620ECED5BB5A0494322BA2002D37B1F30E39B53F41278A89C | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\S6D725SZ.txt | text | |
MD5:23BD56949516143269A33EC0C0E35991 | SHA256:7DB20CD67302C201BB9450508F7769D184220072B3135AA8C1CDE66ABCDB0CF6 | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | binary | |
MD5:9F8AEB10803D9A56044E61231322A754 | SHA256:6A755028B70F8B50F69D79BA15CF15FA263304294C39B995931858B27BF61DAB | |||
213336 | AppLaunch.exe | C:\ProgramData\03983434979664586798408282 | sqlite | |
MD5:B98E46B09E0B97F0839DC7897AEA7F9A | SHA256:45AF197F8FB09FC1BB9AFF9D76F1E8FF06B5906F6A9E8F4CF2213DE0A8B1213A | |||
213336 | AppLaunch.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
213336 | AppLaunch.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | US | der | 1.69 Kb | whitelisted |
213336 | AppLaunch.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | US | der | 1.66 Kb | whitelisted |
213336 | AppLaunch.exe | GET | 200 | 192.124.249.22:80 | http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQC2T6rhHiP0ng%3D%3D | US | der | 1.74 Kb | whitelisted |
213336 | AppLaunch.exe | GET | 200 | 78.47.73.95:80 | http://78.47.73.95/9538378569.zip | DE | compressed | 3.47 Mb | malicious |
213336 | AppLaunch.exe | GET | 200 | 78.47.73.95:80 | http://78.47.73.95/ | DE | text | 107 b | malicious |
213336 | AppLaunch.exe | GET | 200 | 13.107.4.50:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5251be062c8bd1c2 | US | compressed | 4.70 Kb | whitelisted |
213336 | AppLaunch.exe | POST | 200 | 78.47.73.95:80 | http://78.47.73.95/ | DE | text | 4 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
213336 | AppLaunch.exe | 78.47.73.95:80 | — | Hetzner Online GmbH | DE | malicious |
213336 | AppLaunch.exe | 13.107.4.50:80 | ctldl.windowsupdate.com | Microsoft Corporation | US | whitelisted |
213336 | AppLaunch.exe | 192.124.249.22:80 | ocsp.godaddy.com | Sucuri | US | suspicious |
213336 | AppLaunch.exe | 149.154.167.99:443 | t.me | Telegram Messenger LLP | GB | malicious |
Domain | IP | Reputation |
---|---|---|
t.me |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
213336 | AppLaunch.exe | Potentially Bad Traffic | ET INFO Dotted Quad Host ZIP Request |