analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

n.exe

Full analysis: https://app.any.run/tasks/feb3c85b-ec00-4f8a-b232-086da9859385
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: January 17, 2019, 16:04:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
azorult
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

1170FF02710A7C0BCDE515D4F3CDEB2B

SHA1:

D26E4C353105BD6A3D78CFE033011F168FE026C5

SHA256:

04AE033ECD20F1D7EBDF39D19C05D03CC062175E8E639DE1C2DACFD329C78698

SSDEEP:

6144:/fFFlDWKlzdgKZbCeFA1beepBj2fXeaHccD4acNP8Bb7ndzdvP/HPvqGm/YiD:/fblDJvj5FA1jpBj2fz88jcNP8Bt5vP2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • n.exe (PID: 3100)
    • Connects to CnC server

      • msiexec.exe (PID: 3472)
    • AZORULT was detected

      • msiexec.exe (PID: 3472)
  • SUSPICIOUS

    • Changes tracing settings of the file or console

      • msiexec.exe (PID: 3472)
    • Creates files in the user directory

      • n.exe (PID: 3100)
    • Executable content was dropped or overwritten

      • n.exe (PID: 3100)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:03 22:21:07+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 28160
InitializedDataSize: 197120
UninitializedDataSize: 2048
EntryPoint: 0x3834
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Apr-2016 20:21:07
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 03-Apr-2016 20:21:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006C01
0x00006E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44437
.rdata
0x00008000
0x000014FC
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.08681
.data
0x0000A000
0x0002D8B8
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.4589
.ndata
0x00038000
0x00012000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0004A000
0x00007720
0x00007800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.7127

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29548
1061
UNKNOWN
English - United States
RT_MANIFEST
2
5.61959
4264
UNKNOWN
English - United States
RT_ICON
3
4.84061
3752
UNKNOWN
English - United States
RT_ICON
4
6.16608
2216
UNKNOWN
English - United States
RT_ICON
5
3.91942
1640
UNKNOWN
English - United States
RT_ICON
6
5.42186
1384
UNKNOWN
English - United States
RT_ICON
7
5.58096
1128
UNKNOWN
English - United States
RT_ICON
8
3.74963
744
UNKNOWN
English - United States
RT_ICON
9
3.01957
296
UNKNOWN
English - United States
RT_ICON
103
2.73226
132
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start n.exe #AZORULT msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3100"C:\Users\admin\AppData\Local\Temp\n.exe" C:\Users\admin\AppData\Local\Temp\n.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3472C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe
n.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
363
Read events
345
Write events
18
Delete events
0

Modification events

(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3472) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3100n.exeC:\Users\admin\AppData\Local\Temp\nsnE8DE.tmp
MD5:
SHA256:
3100n.exeC:\Users\admin\AppData\Local\Temp\potentials.dllexecutable
MD5:141A631E9071EC63869CFDD4691F45BF
SHA256:040752C2F4E3BEC03FE37BA2A52C091E44CCFDC47324E84E291F8F9719745B31
3100n.exeC:\Users\admin\AppData\Local\Temp\Girlfriendbinary
MD5:A4D307FF2112B77CD87049BDB6410E5F
SHA256:CD2DDA236A41BAD09C74707CBD962A6BFA8E6DB8E1B35B4A645FE3589CB2862F
3100n.exeC:\Users\admin\AppData\Roaming\mung.exeexecutable
MD5:1170FF02710A7C0BCDE515D4F3CDEB2B
SHA256:04AE033ECD20F1D7EBDF39D19C05D03CC062175E8E639DE1C2DACFD329C78698
3100n.exeC:\Users\admin\AppData\Local\Temp\nsnE8DF.tmp\System.dllexecutable
MD5:75ED96254FBF894E42058062B4B4F0D1
SHA256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3472
msiexec.exe
POST
200
209.61.195.213:8080
http://209.61.195.213:8080/naz/index.php
US
text
7 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3472
msiexec.exe
209.61.195.213:8080
HopOne Internet Corporation
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3472
msiexec.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
3472
msiexec.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3472
msiexec.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
3472
msiexec.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
1 ETPRO signatures available at the full report
No debug info