analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ordine.exe

Full analysis: https://app.any.run/tasks/c05755c4-b1f3-4ddf-a3b1-9e368976d6fc
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: October 20, 2020, 08:05:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
rat
remcos
keylogger
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

231442CEE42F591F495EDF68551D5E26

SHA1:

78C7EC8A51960F2F6FA7B1941AA24DCA0A11F845

SHA256:

0FAC83472E461604CDB195068CA091AF7C56D39C73794FA41394206E1EDE2894

SSDEEP:

12288:Gg6qVpf8BGuCG43fxR8bUQFqSjRJsK/AlQ4fMCGOLou:GgZoBGuX44pbLmlQDpw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • ordine.exe (PID: 1840)

    • REMCOS was detected

      • ieinstal.exe (PID: 772)

    • Connects to CnC server

      • ieinstal.exe (PID: 772)

  • SUSPICIOUS

    • Creates files in the user directory

      • ordine.exe (PID: 1840)
      • ieinstal.exe (PID: 772)

    • Executable content was dropped or overwritten

      • ordine.exe (PID: 1840)

    • Writes files like Keylogger logs

      • ieinstal.exe (PID: 772)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (37.4)
.scr | Windows screen saver (34.5)
.exe | Win32 Executable (generic) (11.9)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x89178
UninitializedDataSize: -
InitializedDataSize: 303104
CodeSize: 557568
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x000881EC
0x00088200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.53011
DATA
0x0008A000
0x00027A94
0x00027C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.75001
BSS
0x000B2000
0x00000D75
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x000B3000
0x000026D4
0x00002800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.8768
.tls
0x000B6000
0x00000010
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x000B7000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.203014
.reloc
0x000B8000
0x00009BE0
0x00009C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.67127
.rsrc
0x000C2000
0x00015E00
0x00015E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.22402

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.62308
62
UNKNOWN
English - United States
RT_GROUP_ICON
2
6.20085
2440
UNKNOWN
English - United States
RT_ICON
3
5.86821
4264
UNKNOWN
English - United States
RT_ICON
4
5.50574
9640
UNKNOWN
English - United States
RT_ICON
5
2.6949
308
UNKNOWN
UNKNOWN
RT_CURSOR
6
2.62527
308
UNKNOWN
UNKNOWN
RT_CURSOR
7
2.91604
308
UNKNOWN
UNKNOWN
RT_CURSOR
4078
3.11179
724
UNKNOWN
UNKNOWN
RT_STRING
4079
3.24951
1188
UNKNOWN
UNKNOWN
RT_STRING
4080
3.31387
480
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
comdlg32.dll
gdi32.dll
kernel32.dll
ole32.dll
oleaut32.dll
user32.dll
version.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ordine.exe #REMCOS ieinstal.exe

Process information

PID
CMD
Path
Indicators
Parent process
1840"C:\Users\admin\Desktop\ordine.exe" C:\Users\admin\Desktop\ordine.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
772"C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe
ordine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer Add-on Installer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
43
Read events
22
Write events
21
Delete events
0

Modification events

(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000007F000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1840) ordine.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1840) ordine.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
1
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
1840ordine.exeC:\Users\admin\AppData\Local\Temp\Cab6013.tmp
MD5:
SHA256:
1840ordine.exeC:\Users\admin\AppData\Local\Temp\Tar6014.tmp
MD5:
SHA256:
1840ordine.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:1E1B7898FC090E148365953C9320CA2B
SHA256:E472ACC2A787642021D3850F08344176723C576B6C262E7D19D2E01CFDAACAC5
1840ordine.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:74B81205695405C0262D63A43451868E
SHA256:2C9CA21247D82DCF8C5C4374871F73C832EF0A514FF7FAA89F5FFBDF60CAB397
1840ordine.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\Ttyjvcx[1]text
MD5:18023DED9F79F1732AD4D77711D31837
SHA256:CD7DD1467C495E8DF9412502A584DD2AF9D3D97E0A99F38BAC840165EAC43FE2
1840ordine.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MGH5QDC1.txttext
MD5:4F0487DA8898E3B91E6914645BE515E8
SHA256:F38A35BD62F5B98AF3B4AE607E7F888AEF1A46B549C4F0E46D2BB218FB7111D7
772ieinstal.exeC:\Users\admin\AppData\Roaming\remcos\logs.dattext
MD5:D4AD4DA18BB6B0A5EFA731E4AABB39B6
SHA256:D9DD488B4B85B07B37FC7F13DC0C53A9F2D7A6FDBF79D605285368236E004C14
1840ordine.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Ttyjdrv.exeexecutable
MD5:231442CEE42F591F495EDF68551D5E26
SHA256:0FAC83472E461604CDB195068CA091AF7C56D39C73794FA41394206E1EDE2894
1840ordine.exeC:\Users\admin\AppData\Local\jytT.urltext
MD5:2A021C159E21636B1C5313F7FE2F97E5
SHA256:683D85563965FC57970A27EC1EBFF102866990C125DFBD80EB301DBCED75E111
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1840
ordine.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a7583ac2f24945ed
US
compressed
57.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1840
ordine.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
772
ieinstal.exe
194.127.179.245:7762
rromaniitalfoodsinc.zapto.org
DE
malicious
772
ieinstal.exe
115.134.23.40:2910
rromaniitalfoodsinc.zapto.org
TM Net, Internet Service Provider
MY
unknown
1840
ordine.exe
162.159.128.233:443
discord.com
Cloudflare Inc
malicious
1840
ordine.exe
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
772
ieinstal.exe
115.134.23.40:7762
rromaniitalfoodsinc.zapto.org
TM Net, Internet Service Provider
MY
unknown
772
ieinstal.exe
115.134.23.40:6639
rromaniitalfoodsinc.zapto.org
TM Net, Internet Service Provider
MY
unknown

DNS requests

Domain
IP
Reputation
discord.com
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.138.232
  • 162.159.137.232
  • 162.159.136.232
whitelisted
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.134.233
  • 162.159.133.233
  • 162.159.129.233
  • 162.159.130.233
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
rromaniitalfoodsinc.zapto.org
  • 115.134.23.40
  • 194.127.179.245
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.zapto .org
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.zapto .org
772
ieinstal.exe
A Network Trojan was detected
REMOTE [PTsecurity] Backdoor.Win32/Remcos RAT connection
25 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ordine.exe