| File name: | Self-Bot.exe |
| Full analysis: | https://app.any.run/tasks/46641651-5659-4bc7-99c0-f8b929ef80e8 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 27, 2025, 20:40:18 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 15 sections |
| MD5: | F89F1EB4E9F9003ED3136A46D0190711 |
| SHA1: | 9CEF6EE49E826842C3A44C558CC17CAFBF9F662F |
| SHA256: | E8C6CB743497529E14D4D2FA03BA0897C6D7D83189B48911B3D9A538216CF0EF |
| SSDEEP: | 98304:fIH92wKbVnhegb6pOTHwaOht5lloc3BM6Ib5P46y3d95ar9KZSClWbbjyHCpbKsx:fG3bq6dgy |
MALICIOUS
DISCORDGRABBER has been detected (YARA)
- Self-Bot.exe (PID: 7160)
SUSPICIOUS
Connects to the server without a host name
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 4156)
Executable content was dropped or overwritten
- Self-Bot.exe (PID: 7160)
Process drops legitimate windows executable
- Self-Bot.exe (PID: 7160)
Application launched itself
- electron.exe (PID: 2368)
INFO
Checks supported languages
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 4708)
- electron.exe (PID: 2368)
- electron.exe (PID: 4156)
- electron.exe (PID: 3388)
Creates files or folders in the user directory
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 2368)
- electron.exe (PID: 4156)
- electron.exe (PID: 3388)
Reads the machine GUID from the registry
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 4156)
Reads the computer name
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 2368)
- electron.exe (PID: 4708)
- electron.exe (PID: 4156)
Reads the software policy settings
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 4156)
- slui.exe (PID: 3672)
Manual execution by a user
- wscript.exe (PID: 4864)
- wscript.exe (PID: 6016)
- wscript.exe (PID: 2468)
- wscript.exe (PID: 6684)
- OpenWith.exe (PID: 6812)
- OpenWith.exe (PID: 2708)
Detects GO elliptic curve encryption (YARA)
- Self-Bot.exe (PID: 7160)
The sample compiled with english language support
- Self-Bot.exe (PID: 7160)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 2708)
- OpenWith.exe (PID: 6812)
Application based on Golang
- Self-Bot.exe (PID: 7160)
Checks proxy server information
- electron.exe (PID: 2368)
- slui.exe (PID: 3672)
Process checks computer location settings
- electron.exe (PID: 2368)
- electron.exe (PID: 3388)
Create files in a temporary directory
- electron.exe (PID: 2368)
Node.js compiler has been detected
- electron.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 3 |
| CodeSize: | 4810752 |
| InitializedDataSize: | 831488 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x69f00 |
| OSVersion: | 6.1 |
| ImageVersion: | 1 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
Total processes
135
Monitored processes
13
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2076 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2368 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\main.js 127.0.0.1:49748 false --no-sandbox | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | — | Self-Bot.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 2468 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\client.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 2708 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\e3ed94ad-3861-47b8-a224-fdb3ccae2934 | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3388 | "C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe" --type=renderer --no-sandbox --field-trial-handle=1604,15791517325323132577,2631480600099945672,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=electron.app.Electron --app-path="C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | — | electron.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 3672 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4156 | "C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,15791517325323132577,2631480600099945672,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --no-sandbox --mojo-platform-channel-handle=2144 /prefetch:8 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | electron.exe | ||||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 4708 | "C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe" --type=gpu-process --field-trial-handle=1604,15791517325323132577,2631480600099945672,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --no-sandbox --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | — | electron.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 4864 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\index.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6016 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\consts.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
12 708
Read events
12 690
Write events
0
Delete events
18
Modification events
| (PID) Process: | (2368) electron.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries |
| Operation: | delete value | Name: | _Global_ |
Value: | |||
| (PID) Process: | (2368) electron.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries |
| Operation: | delete value | Name: | en-US |
Value: | |||
| (PID) Process: | (2368) electron.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries |
| Operation: | delete value | Name: | en |
Value: | |||
Executable files
9
Suspicious files
95
Text files
19
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64-v11.4.3.zip | — | |
MD5:— | SHA256:— | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\gui\image.icns | image | |
MD5:3DF0E993923D78A8D6B9ABD939809638 | SHA256:62EC96F600B4AE7AF6F5E129888DE8C5BA01AE794171E5E7338AD7DD45BD194B | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\.gitignore | text | |
MD5:E938A32DD9742D47973F7F62B0DC1738 | SHA256:2D4D983600230DC3249A503568C6BA197CB1CFC9EA9A4EC56D1E5D31BD11BE07 | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\src\client.js | binary | |
MD5:6DE951FF2D0E3E5C86CB0A7765A99B37 | SHA256:8357CB1B31C736D96F150E7F6654CD7731A6D90B7994AFB47FC2407598B8925E | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\index.js | binary | |
MD5:BC7EB1D2BEE8FC11171CA934E4DF5823 | SHA256:636F272AA07FD07173DBA65C33C55B41D8B2690113FAD10379303EC65DB0EFDF | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\LICENSE | text | |
MD5:F882AA7CCC2BCD8E9E654AC080241847 | SHA256:34EA697E8B8B2FFF5004A4CC1334051544150BD392C1CA58D831A647081557FC | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\README.md | text | |
MD5:0181F25BF64AEBD042CCD39E46761FCF | SHA256:577E00E0BD3CF42527E59EA3F22AEBA5EDF1ADC67C7D77BC7A2066D67584951F | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\locales\gu.pak | binary | |
MD5:7E5416A501994FFBEBAB3EDC57756B3B | SHA256:A49597E67FCF93448C89E07F9CC3519B3B1B77505BC30ADF3F25C250718EEC0C | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\main.js | binary | |
MD5:7E2B884E5467C63F06960939CA860F7F | SHA256:E944A8ADDDFD05327A6A76FF863C13DFF79F73F444F4FC3C31A09452DF2A632D | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron-v0.57.0.zip | compressed | |
MD5:866FC6B33E2CD0D5298765CE42FF7C7E | SHA256:214C8DF33EDDB0D2E954D1EDAA577939A9447E65A68323F12BC81C869559B43D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
55
DNS requests
24
Threats
21
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 151.101.2.137:443 | https://code.jquery.com/jquery-3.5.1.js | unknown | binary | 280 Kb | whitelisted |
— | — | POST | 200 | 20.190.159.23:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
7160 | Self-Bot.exe | GET | 200 | 207.211.182.197:80 | http://207.211.182.197/getIcon | unknown | — | — | unknown |
7160 | Self-Bot.exe | GET | 200 | 207.211.182.197:80 | http://207.211.182.197/getIcon | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
1268 | svchost.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
— | — | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
1268 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
— | — | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
7160 | Self-Bot.exe | 151.101.194.137:443 | code.jquery.com | FASTLY | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
code.jquery.com |
| whitelisted |
login.live.com |
| whitelisted |
github.com |
| whitelisted |
codeload.github.com |
| whitelisted |
objects.githubusercontent.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com) |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
7160 | Self-Bot.exe | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
7160 | Self-Bot.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
7160 | Self-Bot.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
7160 | Self-Bot.exe | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |