Windows
Analysis Report
Discord2.exe
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- Discord2.exe (PID: 7052 cmdline:
"C:\Users\ user\Deskt op\Discord 2.exe" MD5: 3E7CA285EF320886E388DC9097E1BF92) - cmd.exe (PID: 3924 cmdline:
"C:\Window s\System32 \cmd.exe" /c schtask s /create /f /sc onl ogon /rl h ighest /tn "Discord" /tr '"C:\ Users\user \AppData\R oaming\Dis cord.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6188 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - schtasks.exe (PID: 6380 cmdline:
schtasks / create /f /sc onlogo n /rl high est /tn "D iscord" /t r '"C:\Use rs\user\Ap pData\Roam ing\Discor d.exe"' MD5: 48C2FE20575769DE916F48EF0676A965) - cmd.exe (PID: 6164 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\tmp3 854.tmp.ba t"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6264 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - timeout.exe (PID: 6464 cmdline:
timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3) - Discord.exe (PID: 6616 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Discord.e xe" MD5: 3E7CA285EF320886E388DC9097E1BF92)
- Discord.exe (PID: 6528 cmdline:
C:\Users\u ser\AppDat a\Roaming\ Discord.ex e MD5: 3E7CA285EF320886E388DC9097E1BF92)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
AsyncRAT | AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. | No Attribution |
{
"External_config_on_Pastebin": "null",
"Server": "18.ip.gl.ply.gg",
"Ports": "6606,7707,8808,9028",
"Version": "0.5.8",
"Autorun": "true",
"Install_Folder": "Discord.exe",
"Install_File": "SEd3RjFxeGl0TDd6ZDJUZmp3eHUwOXpEQWNoUTFZSXc="
}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
Click to see the 8 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
Windows_Trojan_Asyncrat_11a11ba1 | unknown | unknown |
| |
INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse | Detects file containing reversed ASEP Autorun registry keys | ditekSHen |
| |
JoeSecurity_AsyncRAT | Yara detected AsyncRAT | Joe Security | ||
Click to see the 5 entries |
System Summary |
---|
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Jonathan Cheong, oscd.community: |
Source: | Author: Florian Roth (Nextron Systems): |
- • AV Detection
- • Compliance
- • Networking
- • Key, Mouse, Clipboard, Microphone and Screen Capturing
- • Operating System Destruction
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Avira URL Cloud: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | ReversingLabs: |
Source: | ReversingLabs: |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Static PE information: |
Networking |
---|
Source: | URLs: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | TCP traffic: |
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Operating System Destruction |
---|
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
System Summary |
---|
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | 0_2_01184958 | |
Source: | Code function: | 0_2_01184088 | |
Source: | Code function: | 0_2_01185B20 | |
Source: | Code function: | 0_2_01183D40 | |
Source: | Code function: | 9_2_01234958 | |
Source: | Code function: | 9_2_01234088 | |
Source: | Code function: | 9_2_01235B20 | |
Source: | Code function: | 9_2_01233D40 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: | ||
Source: | Base64 encoded string: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Process created: |
Source: | Static PE information: |
Source: | Static file information: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | ReversingLabs: |
Source: | File read: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: | ||
Source: | High entropy of concatenated method names: |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Process created: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Window / User API: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | WMI Queries: | ||
Source: | WMI Queries: |
Source: | Last function: |
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior | ||
Source: | File Volume queried: | Jump to behavior |
Source: | Thread delayed: | Jump to behavior | ||
Source: | Thread delayed: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: | Jump to behavior |
Anti Debugging |
---|
Source: | Code function: | 0_2_01182D4C |
Source: | Process queried: | Jump to behavior | ||
Source: | Process queried: | Jump to behavior |
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior | ||
Source: | Process token adjusted: | Jump to behavior |
Source: | Memory allocated: | Jump to behavior |
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior | ||
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Lowering of HIPS / PFW / Operating System Security Settings |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | 1 Windows Management Instrumentation | 2 Scheduled Task/Job | 11 Process Injection | 1 Masquerading | OS Credential Dumping | 321 Security Software Discovery | Remote Services | 1 Archive Collected Data | 1 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | 2 Scheduled Task/Job | 1 Scripting | 2 Scheduled Task/Job | 1 Disable or Modify Tools | LSASS Memory | 1 Process Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Standard Port | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | 1 DLL Side-Loading | 1 DLL Side-Loading | 51 Virtualization/Sandbox Evasion | Security Account Manager | 51 Virtualization/Sandbox Evasion | SMB/Windows Admin Shares | Data from Network Shared Drive | 1 Non-Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 11 Process Injection | NTDS | 1 Application Window Discovery | Distributed Component Object Model | Input Capture | 11 Application Layer Protocol | Traffic Duplication | Data Destruction |
Gather Victim Network Information | Server | Cloud Accounts | Launchd | Network Logon Script | Network Logon Script | 11 Obfuscated Files or Information | LSA Secrets | 1 File and Directory Discovery | SSH | Keylogging | Fallback Channels | Scheduled Transfer | Data Encrypted for Impact |
Domain Properties | Botnet | Replication Through Removable Media | Scheduled Task | RC Scripts | RC Scripts | 1 DLL Side-Loading | Cached Domain Credentials | 23 System Information Discovery | VNC | GUI Input Capture | Multiband Communication | Data Transfer Size Limits | Service Stop |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
89% | ReversingLabs | ByteCode-MSIL.Backdoor.AsyncRat | ||
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira | TR/Dropper.Gen | ||
100% | Joe Sandbox ML | |||
89% | ReversingLabs | ByteCode-MSIL.Backdoor.AsyncRat |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
18.ip.gl.ply.gg | 147.185.221.18 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
147.185.221.18 | 18.ip.gl.ply.gg | United States | 12087 | SALSGIVERUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1575592 |
Start date and time: | 2024-12-16 06:17:30 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 5m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | Discord2.exe |
Detection: | MAL |
Classification: | mal100.troj.evad.winEXE@15/3@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, SI HClient.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 20.12.23.50, 13.10 7.246.63 - Excluded domains from analysis
(whitelisted): client.wns.win dows.com, ocsp.digicert.com, s lscr.update.microsoft.com, ote lrules.azureedge.net, ctldl.wi ndowsupdate.com, fe3cr.deliver y.mp.microsoft.com - Execution Graph export aborted
for target Discord.exe, PID 6 528 because it is empty - Not all processes where analyz
ed, report is missing behavior information - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtQueryValueKey calls found. - Report size getting too big, t
oo many NtReadVirtualMemory ca lls found. - VT rate limit hit for: Discor
d2.exe
Time | Type | Description |
---|---|---|
06:19:00 | Task Scheduler |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
147.185.221.18 | Get hash | malicious | XWorm | Browse | ||
Get hash | malicious | AsyncRAT | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | XWorm | Browse | |||
Get hash | malicious | ArrowRAT | Browse | |||
Get hash | malicious | Njrat | Browse | |||
Get hash | malicious | Njrat | Browse | |||
Get hash | malicious | AsyncRAT | Browse |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
18.ip.gl.ply.gg | Get hash | malicious | AsyncRAT | Browse |
| |
Get hash | malicious | CyberGate | Browse |
| ||
Get hash | malicious | Njrat | Browse |
|
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
SALSGIVERUS | Get hash | malicious | AsyncRAT | Browse |
| |
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | XWorm | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Njrat | Browse |
| ||
Get hash | malicious | Metasploit | Browse |
| ||
Get hash | malicious | AsyncRAT | Browse |
|
Process: | C:\Users\user\Desktop\Discord2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 151 |
Entropy (8bit): | 5.081583937874725 |
Encrypted: | false |
SSDEEP: | 3:mKDDCMNqTtvL5oaa4EaKC5dodASmqRDaa4E2J5xAInTRI8dyIRVZPy:hWKqTtT6vaZ5LSmq1v23fTdJRVk |
MD5: | CFEEFAF3CDCC9340B20F92784BA826FB |
SHA1: | 827B26862C2F27EDC10E5994A6E5983AF87F29BD |
SHA-256: | F6F0F74FE943AFA874999C0F08F05E34D12191D074946038625E752BDF33E320 |
SHA-512: | D8ECAFA44BE5209DF6E70993056F71D264C29C5CD39B5A67C5BB670E16CC14CAA03560E7223CAC01966841CC7752184D70B41B05025AE1A315CA4046374F8371 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Users\user\Desktop\Discord2.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 48640 |
Entropy (8bit): | 5.56684636882615 |
Encrypted: | false |
SSDEEP: | 768:cuyJNTAoZjRWUJd9bmo2qLZYPILhlH2PVFf2PIR84WnZQe4bg24mQG76nRqw6zse:cuyJNTAGL2g32Pzf/R83QFbg2bH6RqJX |
MD5: | 3E7CA285EF320886E388DC9097E1BF92 |
SHA1: | C2AAA30ACB4C03E041AA5CCA350C0095FA6D00F0 |
SHA-256: | E9727D97D2B5F5953A05EAF69A1BDAB54CC757955FBAB97476D94A5AF5920B97 |
SHA-512: | 34266FB5685485010F076D0FEC19AE538F27A9DA1CCCAF3454117480B7EBE83A612A52B44D651FA35897B237409CABF098AE69C9572F9932ADF022F9EB894006 |
Malicious: | true |
Yara Hits: |
|
Antivirus: |
|
Reputation: | low |
Preview: |
Process: | C:\Windows\SysWOW64\timeout.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60 |
Entropy (8bit): | 4.41440934524794 |
Encrypted: | false |
SSDEEP: | 3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn |
MD5: | 3DD7DD37C304E70A7316FE43B69F421F |
SHA1: | A3754CFC33E9CA729444A95E95BCB53384CB51E4 |
SHA-256: | 4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA |
SHA-512: | 713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 5.56684636882615 |
TrID: |
|
File name: | Discord2.exe |
File size: | 48'640 bytes |
MD5: | 3e7ca285ef320886e388dc9097e1bf92 |
SHA1: | c2aaa30acb4c03e041aa5cca350c0095fa6d00f0 |
SHA256: | e9727d97d2b5f5953a05eaf69a1bdab54cc757955fbab97476d94a5af5920b97 |
SHA512: | 34266fb5685485010f076d0fec19ae538f27a9da1cccaf3454117480b7ebe83a612a52b44d651fa35897b237409cabf098ae69c9572f9932adf022f9eb894006 |
SSDEEP: | 768:cuyJNTAoZjRWUJd9bmo2qLZYPILhlH2PVFf2PIR84WnZQe4bg24mQG76nRqw6zse:cuyJNTAGL2g32Pzf/R83QFbg2bH6RqJX |
TLSH: | 14232B0037E9822AF27E4F7469F22245867AF2672603D65E1CC441DB5B13FC28A526FE |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e................................. ........@.. ....................... ............@................................ |
Icon Hash: | 00928e8e8686b000 |
Entrypoint: | 0x40d0ae |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 4 |
OS Version Minor: | 0 |
File Version Major: | 4 |
File Version Minor: | 0 |
Subsystem Version Major: | 4 |
Subsystem Version Minor: | 0 |
Import Hash: | f34d5f2d4577ed6d9ceec516c1f5a744 |
Instruction |
---|
jmp dword ptr [00402000h] |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
add byte ptr [eax], al |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xd05c | 0x4f | .text |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xe000 | 0x7ff | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x10000 | 0xc | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0x8 | .text |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x2008 | 0x48 | .text |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x2000 | 0xb0b4 | 0xb200 | f6037bdc3bb84e700336703f7797cfdb | False | 0.5423542837078652 | data | 5.624015101014523 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rsrc | 0xe000 | 0x7ff | 0x800 | 0f68ce4dd77ed0bb9c1e6b31f6995d94 | False | 0.41748046875 | data | 4.88506844918463 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x10000 | 0xc | 0x200 | e58fd12d1b53873afe54bb7ef6c1a465 | False | 0.044921875 | data | 0.08153941234324169 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_VERSION | 0xe0a0 | 0x2cc | data | 0.43575418994413406 | ||
RT_MANIFEST | 0xe36c | 0x493 | exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators | 0.43381725021349277 |
DLL | Import |
---|---|
mscoree.dll | _CorExeMain |
Download Network PCAP: filtered – full
- Total Packets: 24
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 16, 2024 06:19:07.830809116 CET | 49711 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:07.950589895 CET | 7707 | 49711 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:19:07.950675964 CET | 49711 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:07.967267036 CET | 49711 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:08.086916924 CET | 7707 | 49711 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:19:29.855501890 CET | 7707 | 49711 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:19:29.855591059 CET | 49711 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:34.886106968 CET | 49711 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:34.886864901 CET | 49717 | 6606 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:35.005847931 CET | 7707 | 49711 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:19:35.006558895 CET | 6606 | 49717 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:19:35.006758928 CET | 49717 | 6606 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:35.007023096 CET | 49717 | 6606 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:19:35.126754045 CET | 6606 | 49717 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:19:56.902919054 CET | 6606 | 49717 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:19:56.902980089 CET | 49717 | 6606 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:01.942693949 CET | 49717 | 6606 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:01.968808889 CET | 49720 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:02.062374115 CET | 6606 | 49717 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:02.088556051 CET | 7707 | 49720 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:02.088644981 CET | 49720 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:02.088984966 CET | 49720 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:02.208712101 CET | 7707 | 49720 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:23.997128963 CET | 7707 | 49720 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:23.997205019 CET | 49720 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:28.998394966 CET | 49720 | 7707 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:28.999424934 CET | 49732 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:29.117980957 CET | 7707 | 49720 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:29.119081020 CET | 8808 | 49732 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:29.119148970 CET | 49732 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:29.119508982 CET | 49732 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:29.239173889 CET | 8808 | 49732 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:51.029292107 CET | 8808 | 49732 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:51.029479980 CET | 49732 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:56.061029911 CET | 49732 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:56.062206984 CET | 49798 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:56.180856943 CET | 8808 | 49732 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:56.182075024 CET | 8808 | 49798 | 147.185.221.18 | 192.168.2.12 |
Dec 16, 2024 06:20:56.182152987 CET | 49798 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:56.182496071 CET | 49798 | 8808 | 192.168.2.12 | 147.185.221.18 |
Dec 16, 2024 06:20:56.302181005 CET | 8808 | 49798 | 147.185.221.18 | 192.168.2.12 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 16, 2024 06:19:07.689672947 CET | 58594 | 53 | 192.168.2.12 | 1.1.1.1 |
Dec 16, 2024 06:19:07.828087091 CET | 53 | 58594 | 1.1.1.1 | 192.168.2.12 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Dec 16, 2024 06:19:07.689672947 CET | 192.168.2.12 | 1.1.1.1 | 0xd46d | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Dec 16, 2024 06:19:07.828087091 CET | 1.1.1.1 | 192.168.2.12 | 0xd46d | No error (0) | 147.185.221.18 | A (IP address) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 00:18:53 |
Start date: | 16/12/2024 |
Path: | C:\Users\user\Desktop\Discord2.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x7e0000 |
File size: | 48'640 bytes |
MD5 hash: | 3E7CA285EF320886E388DC9097E1BF92 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 00:18:58 |
Start date: | 16/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1f0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 3 |
Start time: | 00:18:58 |
Start date: | 16/12/2024 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1f0000 |
File size: | 236'544 bytes |
MD5 hash: | D0FCE3AFA6AA1D58CE9FA336CC2B675B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 4 |
Start time: | 00:18:58 |
Start date: | 16/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff704000000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 5 |
Start time: | 00:18:58 |
Start date: | 16/12/2024 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff704000000 |
File size: | 862'208 bytes |
MD5 hash: | 0D698AF330FD17BEE3BF90011D49251D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 6 |
Start time: | 00:18:58 |
Start date: | 16/12/2024 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd90000 |
File size: | 187'904 bytes |
MD5 hash: | 48C2FE20575769DE916F48EF0676A965 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 7 |
Start time: | 00:18:58 |
Start date: | 16/12/2024 |
Path: | C:\Windows\SysWOW64\timeout.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x270000 |
File size: | 25'088 bytes |
MD5 hash: | 976566BEEFCCA4A159ECBDB2D4B1A3E3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Target ID: | 8 |
Start time: | 00:19:00 |
Start date: | 16/12/2024 |
Path: | C:\Users\user\AppData\Roaming\Discord.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd00000 |
File size: | 48'640 bytes |
MD5 hash: | 3E7CA285EF320886E388DC9097E1BF92 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Antivirus matches: |
|
Reputation: | low |
Has exited: | true |
Target ID: | 9 |
Start time: | 00:19:01 |
Start date: | 16/12/2024 |
Path: | C:\Users\user\AppData\Roaming\Discord.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x9d0000 |
File size: | 48'640 bytes |
MD5 hash: | 3E7CA285EF320886E388DC9097E1BF92 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Has exited: | false |
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 14.9% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 16.7% |
Total number of Nodes: | 18 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Strings |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Execution Graph
Execution Coverage
Dynamic/Packed Code Coverage
Signature Coverage
Execution Coverage: | 13.5% |
Dynamic/Decrypted Code Coverage: | 100% |
Signature Coverage: | 0% |
Total number of Nodes: | 20 |
Total number of Limit Nodes: | 0 |
Graph
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|