| File name: | net.exe |
| Full analysis: | https://app.any.run/tasks/cda0a374-4e28-49d2-a997-5f0cee526a8b |
| Verdict: | Malicious activity |
| Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
| Analysis date: | February 16, 2024, 13:27:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 1A917A85DCBB1D3DF5F4DD02E3A62873 |
| SHA1: | 567F528FEC8E7A4787F8C253446D8F1B620DC9D6 |
| SHA256: | 217FBF967C95D1359314FCD53AE8D04489EB3C7BDC1F22110D5A8A476D1FC92E |
| SSDEEP: | 98304:LiWqg2DGA1VesIBquLgBwTudymWvOGAqVDjhTjThycwGOPRQYpKoh6g4nMrRjRcO:HyBsfbe0 |
MALICIOUS
Drops the executable file immediately after the start
- net.exe (PID: 3700)
- BBLb.exe (PID: 1348)
RHADAMANTHYS has been detected (SURICATA)
- dialer.exe (PID: 2304)
Run PowerShell with an invisible window
- powershell.exe (PID: 2904)
- powershell.exe (PID: 552)
Bypass execution policy to execute commands
- powershell.exe (PID: 2904)
- powershell.exe (PID: 552)
Connects to the CnC server
- my7Heft6IL.exe (PID: 568)
AZORULT has been detected (SURICATA)
- my7Heft6IL.exe (PID: 568)
Actions looks like stealing of personal data
- dialer.exe (PID: 2304)
SUSPICIOUS
Executable content was dropped or overwritten
- net.exe (PID: 3700)
- BBLb.exe (PID: 1348)
- dialer.exe (PID: 2304)
Reads security settings of Internet Explorer
- net.exe (PID: 3700)
- BBLb.exe (PID: 3736)
- my7Heft6IL.exe (PID: 568)
Reads the Internet Settings
- net.exe (PID: 3700)
- BBLb.exe (PID: 3736)
- powershell.exe (PID: 2904)
- my7Heft6IL.exe (PID: 568)
- powershell.exe (PID: 552)
Application launched itself
- net.exe (PID: 3700)
- BBLb.exe (PID: 3972)
- BBLb.exe (PID: 2420)
- my7Heft6IL.exe (PID: 3540)
- AttributeString.exe (PID: 2172)
- MSBuild.exe (PID: 128)
Starts CMD.EXE for commands execution
- BBLb.exe (PID: 3736)
The executable file from the user directory is run by the CMD process
- BBLb.exe (PID: 2420)
The process checks if it is being run in the virtual environment
- dialer.exe (PID: 2304)
The process executes via Task Scheduler
- powershell.exe (PID: 2904)
- AttributeString.exe (PID: 2172)
- powershell.exe (PID: 552)
Using PowerShell to operate with local accounts
- powershell.exe (PID: 2904)
- powershell.exe (PID: 552)
Accesses Microsoft Outlook profiles
- dialer.exe (PID: 2304)
Executed via WMI
- my7Heft6IL.exe (PID: 3540)
Searches for installed software
- dialer.exe (PID: 2304)
Loads DLL from Mozilla Firefox
- dialer.exe (PID: 2304)
Reads browser cookies
- dialer.exe (PID: 2304)
Connects to unusual port
- MSBuild.exe (PID: 764)
INFO
Create files in a temporary directory
- net.exe (PID: 3700)
Checks supported languages
- net.exe (PID: 3700)
- BBLb.exe (PID: 3972)
- net.exe (PID: 3664)
- BBLb.exe (PID: 3736)
- BBLb.exe (PID: 1348)
- BBLb.exe (PID: 2420)
- my7Heft6IL.exe (PID: 3540)
- wmpnscfg.exe (PID: 2888)
- my7Heft6IL.exe (PID: 568)
- AttributeString.exe (PID: 2172)
- AttributeString.exe (PID: 3444)
- MSBuild.exe (PID: 128)
- MSBuild.exe (PID: 764)
Reads the computer name
- net.exe (PID: 3700)
- BBLb.exe (PID: 3972)
- BBLb.exe (PID: 3736)
- BBLb.exe (PID: 2420)
- BBLb.exe (PID: 1348)
- my7Heft6IL.exe (PID: 3540)
- my7Heft6IL.exe (PID: 568)
- AttributeString.exe (PID: 2172)
- AttributeString.exe (PID: 3444)
- MSBuild.exe (PID: 128)
- MSBuild.exe (PID: 764)
Reads the machine GUID from the registry
- net.exe (PID: 3700)
- BBLb.exe (PID: 3972)
- BBLb.exe (PID: 3736)
- BBLb.exe (PID: 2420)
- BBLb.exe (PID: 1348)
- my7Heft6IL.exe (PID: 3540)
- my7Heft6IL.exe (PID: 568)
- wmpnscfg.exe (PID: 2888)
- AttributeString.exe (PID: 2172)
- AttributeString.exe (PID: 3444)
- MSBuild.exe (PID: 764)
- MSBuild.exe (PID: 128)
Creates files or folders in the user directory
- BBLb.exe (PID: 1348)
- dialer.exe (PID: 2304)
Drops the executable file immediately after the start
- dialer.exe (PID: 2304)
Checks proxy server information
- my7Heft6IL.exe (PID: 568)
Reads product name
- my7Heft6IL.exe (PID: 568)
Reads Environment values
- my7Heft6IL.exe (PID: 568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:01:30 12:16:31+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 8 |
| CodeSize: | 2229760 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2224fe |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | - |
| FileVersion: | 1.0.0.0 |
| InternalName: | native.exe |
| LegalCopyright: | - |
| LegalTrademarks: | - |
| OriginalFileName: | native.exe |
| ProductName: | - |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
66
Monitored processes
17
Malicious processes
7
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | — | AttributeString.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: MSBuild.exe Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 552 | powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 568 | C:\Users\admin\AppData\Local\Microsoft\my7Heft6IL.exe | C:\Users\admin\AppData\Local\Microsoft\my7Heft6IL.exe | my7Heft6IL.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 764 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | MSBuild.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: MSBuild.exe Exit code: 0 Version: 4.8.3761.0 built by: NET48REL1 Modules
| |||||||||||||||
| 1348 | C:\Users\admin\AppData\Local\Temp\BBLb.exe | C:\Users\admin\AppData\Local\Temp\BBLb.exe | BBLb.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2172 | C:\Users\admin\AppData\Local\TypeId\lcfdpq\AttributeString.exe | C:\Users\admin\AppData\Local\TypeId\lcfdpq\AttributeString.exe | — | taskeng.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2304 | "C:\Windows\system32\dialer.exe" | C:\Windows\System32\dialer.exe | net.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Phone Dialer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2420 | "C:\Users\admin\AppData\Local\Temp\BBLb.exe" | C:\Users\admin\AppData\Local\Temp\BBLb.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 2888 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | dialer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2904 | powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
Total events
16 191
Read events
16 024
Write events
161
Delete events
6
Modification events
| (PID) Process: | (3700) net.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3700) net.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3700) net.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3700) net.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3664) net.exe | Key: | HKEY_CURRENT_USER\Software\SibCode |
| Operation: | write | Name: | sn |
Value: | |||
| (PID) Process: | (3736) BBLb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3736) BBLb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3736) BBLb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3736) BBLb.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2904) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
3
Suspicious files
8
Text files
0
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2904 | powershell.exe | C:\Users\admin\AppData\Local\Temp\upy5oqa5.bml.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 2904 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WJLV819TD7BS7HNJ8L5C.temp | binary | |
MD5:42E3956892291F5EE35E1B989213EF05 | SHA256:D4E6947871B5FD00AD32F8707479DD6EC92AB65D8C6D157B1C0C3D99D575E468 | |||
| 2904 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF181c9b.TMP | binary | |
MD5:0268C3470C936E6FBAC2945B9E1C2099 | SHA256:DF2AF58E8879B48826D8A418ED3B02CC8D484BCFC231C5B7A11BD153ED3998E9 | |||
| 2904 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:42E3956892291F5EE35E1B989213EF05 | SHA256:D4E6947871B5FD00AD32F8707479DD6EC92AB65D8C6D157B1C0C3D99D575E468 | |||
| 552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF189ca8.TMP | binary | |
MD5:42E3956892291F5EE35E1B989213EF05 | SHA256:D4E6947871B5FD00AD32F8707479DD6EC92AB65D8C6D157B1C0C3D99D575E468 | |||
| 552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:42E3956892291F5EE35E1B989213EF05 | SHA256:D4E6947871B5FD00AD32F8707479DD6EC92AB65D8C6D157B1C0C3D99D575E468 | |||
| 2904 | powershell.exe | C:\Users\admin\AppData\Local\Temp\0ih1s5d4.4xc.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 2904 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
| 552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HAVVLM0GSJTSUGF4I51J.temp | binary | |
MD5:42E3956892291F5EE35E1B989213EF05 | SHA256:D4E6947871B5FD00AD32F8707479DD6EC92AB65D8C6D157B1C0C3D99D575E468 | |||
| 2304 | dialer.exe | C:\Users\admin\AppData\Local\Microsoft\my7Heft6IL.exe | executable | |
MD5:EC88A4C1DCFB3861F6C9C364DEEABD94 | SHA256:23722503BDCC20AB9E6482BB2D3E92E50B13443799F361975BB36A91F0EEB895 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
5
Threats
8
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
568 | my7Heft6IL.exe | POST | 200 | 91.215.85.223:80 | http://parals.ac.ug/index.php | unknown | text | 4 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2304 | dialer.exe | 194.50.153.126:443 | pastratas.ac.ug | — | — | unknown |
568 | my7Heft6IL.exe | 91.215.85.223:80 | parals.ac.ug | — | RU | unknown |
764 | MSBuild.exe | 94.156.69.145:58001 | junks.ac.ug | Terasyst Ltd | BG | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pastratas.ac.ug |
| unknown |
parals.ac.ug |
| unknown |
nickshort.ug |
| unknown |
kodedea.ug |
| unknown |
junks.ac.ug |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2304 | dialer.exe | A Network Trojan was detected | STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s |
568 | my7Heft6IL.exe | Malware Command and Control Activity Detected | ET MALWARE Win32/AZORult V3.3 Client Checkin M2 |
6 ETPRO signatures available at the full report