| File name: | Self-Bot.exe |
| Full analysis: | https://app.any.run/tasks/46641651-5659-4bc7-99c0-f8b929ef80e8 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 27, 2025, 20:40:18 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 15 sections |
| MD5: | F89F1EB4E9F9003ED3136A46D0190711 |
| SHA1: | 9CEF6EE49E826842C3A44C558CC17CAFBF9F662F |
| SHA256: | E8C6CB743497529E14D4D2FA03BA0897C6D7D83189B48911B3D9A538216CF0EF |
| SSDEEP: | 98304:fIH92wKbVnhegb6pOTHwaOht5lloc3BM6Ib5P46y3d95ar9KZSClWbbjyHCpbKsx:fG3bq6dgy |
MALICIOUS
DISCORDGRABBER has been detected (YARA)
- Self-Bot.exe (PID: 7160)
SUSPICIOUS
Connects to the server without a host name
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 4156)
Executable content was dropped or overwritten
- Self-Bot.exe (PID: 7160)
Process drops legitimate windows executable
- Self-Bot.exe (PID: 7160)
Application launched itself
- electron.exe (PID: 2368)
INFO
Creates files or folders in the user directory
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 2368)
- electron.exe (PID: 4156)
- electron.exe (PID: 3388)
Reads the computer name
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 2368)
- electron.exe (PID: 4708)
- electron.exe (PID: 4156)
Checks supported languages
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 2368)
- electron.exe (PID: 4708)
- electron.exe (PID: 4156)
- electron.exe (PID: 3388)
Reads the software policy settings
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 4156)
- slui.exe (PID: 3672)
Reads the machine GUID from the registry
- Self-Bot.exe (PID: 7160)
- electron.exe (PID: 4156)
Manual execution by a user
- wscript.exe (PID: 4864)
- wscript.exe (PID: 6016)
- wscript.exe (PID: 2468)
- OpenWith.exe (PID: 6812)
- wscript.exe (PID: 6684)
- OpenWith.exe (PID: 2708)
Application based on Golang
- Self-Bot.exe (PID: 7160)
Detects GO elliptic curve encryption (YARA)
- Self-Bot.exe (PID: 7160)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 6812)
- OpenWith.exe (PID: 2708)
The sample compiled with english language support
- Self-Bot.exe (PID: 7160)
Checks proxy server information
- electron.exe (PID: 2368)
- slui.exe (PID: 3672)
Create files in a temporary directory
- electron.exe (PID: 2368)
Process checks computer location settings
- electron.exe (PID: 3388)
- electron.exe (PID: 2368)
Node.js compiler has been detected
- electron.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 3 |
| CodeSize: | 4810752 |
| InitializedDataSize: | 831488 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x69f00 |
| OSVersion: | 6.1 |
| ImageVersion: | 1 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
Total processes
135
Monitored processes
13
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2076 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2368 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\main.js 127.0.0.1:49748 false --no-sandbox | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | — | Self-Bot.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 2468 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\client.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 2708 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\e3ed94ad-3861-47b8-a224-fdb3ccae2934 | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3388 | "C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe" --type=renderer --no-sandbox --field-trial-handle=1604,15791517325323132577,2631480600099945672,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --app-user-model-id=electron.app.Electron --app-path="C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron" --node-integration --no-sandbox --no-zygote --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | — | electron.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 3672 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4156 | "C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,15791517325323132577,2631480600099945672,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --no-sandbox --mojo-platform-channel-handle=2144 /prefetch:8 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | electron.exe | ||||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 4708 | "C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe" --type=gpu-process --field-trial-handle=1604,15791517325323132577,2631480600099945672,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --no-sandbox --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2 | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\electron.exe | — | electron.exe | |||||||||||
User: admin Company: GitHub, Inc. Integrity Level: MEDIUM Description: Electron Exit code: 0 Version: 11.4.3 Modules
| |||||||||||||||
| 4864 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\index.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6016 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\consts.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
12 708
Read events
12 690
Write events
0
Delete events
18
Modification events
| (PID) Process: | (2368) electron.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries |
| Operation: | delete value | Name: | _Global_ |
Value: | |||
| (PID) Process: | (2368) electron.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries |
| Operation: | delete value | Name: | en-US |
Value: | |||
| (PID) Process: | (2368) electron.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Spelling\Dictionaries |
| Operation: | delete value | Name: | en |
Value: | |||
Executable files
9
Suspicious files
95
Text files
19
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64-v11.4.3.zip | — | |
MD5:— | SHA256:— | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\gui\image.ico | image | |
MD5:3DF0E993923D78A8D6B9ABD939809638 | SHA256:62EC96F600B4AE7AF6F5E129888DE8C5BA01AE794171E5E7338AD7DD45BD194B | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\gui\versions\12.txt | text | |
MD5:7CB67C9AD4F033E4D740F3381C763D29 | SHA256:7989D23C452ED2BFD442E501045F7D4D5078BA74509DF6A9BAEF0C1C377714F0 | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\gui\image.icns | image | |
MD5:3DF0E993923D78A8D6B9ABD939809638 | SHA256:62EC96F600B4AE7AF6F5E129888DE8C5BA01AE794171E5E7338AD7DD45BD194B | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron-v0.57.0.zip | compressed | |
MD5:866FC6B33E2CD0D5298765CE42FF7C7E | SHA256:214C8DF33EDDB0D2E954D1EDAA577939A9447E65A68323F12BC81C869559B43D | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\main.js | binary | |
MD5:7E2B884E5467C63F06960939CA860F7F | SHA256:E944A8ADDDFD05327A6A76FF863C13DFF79F73F444F4FC3C31A09452DF2A632D | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\insults.txt | text | |
MD5:95D5BA3FD170F4433C6431A89EB891D9 | SHA256:6C5C44EBAD463EE060731218B07E9AACC9A6D756CD2C5A910E03C74C239AF351 | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\gui\index.html | html | |
MD5:11EA2664578205C90EA5D43F25FA1AB0 | SHA256:544B2B48BF4B8A484DD24BB7D270BD8AD4186A8339C49DEE0B23B0F974C97331 | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\electron-windows-amd64\locales\es.pak | binary | |
MD5:06A2C6940DEF84D9327083AEE446F446 | SHA256:EB22282DBF211F64142EF4DFAC2C1D811D65DECD617C4A3D1C892967DC72AC07 | |||
| 7160 | Self-Bot.exe | C:\Users\admin\AppData\Roaming\Kilo-Self-Bot\vendor\astilectron\src\client.js | binary | |
MD5:6DE951FF2D0E3E5C86CB0A7765A99B37 | SHA256:8357CB1B31C736D96F150E7F6654CD7731A6D90B7994AFB47FC2407598B8925E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
55
DNS requests
24
Threats
21
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 302 | 140.82.121.3:443 | https://github.com/asticode/astilectron/archive/v0.57.0.zip | unknown | — | — | unknown |
— | — | GET | 200 | 140.82.121.3:443 | https://codeload.github.com/asticode/astilectron/zip/refs/tags/v0.57.0 | unknown | compressed | 11.3 Kb | whitelisted |
— | — | POST | 400 | 20.190.159.23:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 302 | 140.82.121.3:443 | https://github.com/electron/electron/releases/download/v11.4.3/electron-v11.4.3-win32-x64.zip | unknown | — | — | unknown |
— | — | POST | 200 | 40.126.31.128:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
— | — | POST | 400 | 40.126.31.71:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 200 | 40.126.31.1:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | whitelisted |
— | — | POST | 200 | 20.190.159.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 16.7 Kb | whitelisted |
— | — | GET | 200 | 172.202.163.200:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
— | — | GET | 304 | 172.202.163.200:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
1268 | svchost.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
— | — | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
1268 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
— | — | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
7160 | Self-Bot.exe | 151.101.194.137:443 | code.jquery.com | FASTLY | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
code.jquery.com |
| whitelisted |
login.live.com |
| whitelisted |
github.com |
| whitelisted |
codeload.github.com |
| whitelisted |
objects.githubusercontent.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com) |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
7160 | Self-Bot.exe | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
7160 | Self-Bot.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
7160 | Self-Bot.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
7160 | Self-Bot.exe | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
— | — | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
— | — | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |