File name: | NEW ORDER.exe |
Full analysis: | https://app.any.run/tasks/190e31ca-8a59-4749-9bee-28674e64c32a |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | February 19, 2019, 06:30:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 13A18C622E98AAD0AE73F611ABCA035C |
SHA1: | 9BEC01E4E097F33A2CE76C23313CBA2CCAE719CA |
SHA256: | 0F0250AACC18657B66DA72F6E2B5BDF01087CC7775D69492D8DB86CE5C172D00 |
SSDEEP: | 3072:AUtEgXXJYvTujSZoxnEcjl2tRtEkJojAgmmfNp90tlmHP5eusunLBTby5eMmI/ea:ACEnutlajE9fZbxb55043fz5ExIT |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (81) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.2) |
.exe | | | Win32 Executable (generic) (4.9) |
.exe | | | Win16/32 Executable Delphi generic (2.2) |
.exe | | | Generic Win/DOS Executable (2.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2019:02:18 23:07:51+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 1424384 |
InitializedDataSize: | 3072 |
UninitializedDataSize: | - |
EntryPoint: | 0x15da9e |
OSVersion: | 4 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
FileVersionNumber: | 0.0.0.0 |
ProductVersionNumber: | 0.0.0.0 |
FileFlagsMask: | 0x003f |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Neutral |
CharacterSet: | Unicode |
FileDescription: | 10e360cc-6b77-4d12-9dc5-7238d41e08d |
FileVersion: | 1.0.0.0 |
InternalName: | ecSPdXWeqIjHiiTqm.exe |
LegalCopyright: | 4e0476e3-5c23-41cd-be47-9a29536f2881 |
OriginalFileName: | 93dfff4f-3673-4681-8640-56f1cbbcfd7f.exe |
ProductVersion: | 1.0.0.0 |
AssemblyVersion: | 0.0.0.0 |
ProductName: | b7d13858-bc35-447c-804d-6734b2e6b6b8 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3084 | "C:\Users\admin\AppData\Local\Temp\NEW ORDER.exe" | C:\Users\admin\AppData\Local\Temp\NEW ORDER.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Description: 10e360cc-6b77-4d12-9dc5-7238d41e08d Exit code: 0 Version: 1.0.0.0 | ||||
3188 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | NEW ORDER.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 216 Version: 14.0.1055.0 |
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3188) vbc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\vbc_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3084 | NEW ORDER.exe | C:\Users\admin\AppData\Roaming\ExecuteUpdate.exe | executable | |
MD5:13A18C622E98AAD0AE73F611ABCA035C | SHA256:0F0250AACC18657B66DA72F6E2B5BDF01087CC7775D69492D8DB86CE5C172D00 | |||
3084 | NEW ORDER.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.url | text | |
MD5:769EA530BFCA8654F9F5874D3166BCD1 | SHA256:5778C4C2E159371661F27AE7D3CA755F7030AEB26605B9797352616D50D09642 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3188 | vbc.exe | POST | — | 47.254.177.121:80 | http://ata-modenna.com/dubai/index.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3188 | vbc.exe | 47.254.177.121:80 | ata-modenna.com | Alibaba (China) Technology Co., Ltd. | US | malicious |
Domain | IP | Reputation |
---|---|---|
ata-modenna.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3188 | vbc.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
3188 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
3188 | vbc.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |