analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

c.exe

Full analysis: https://app.any.run/tasks/20bf2d36-0a27-43f0-9858-d43789299848
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: January 17, 2019, 16:01:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
azorult
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

88744682D31FE3D08F156FE340925E6F

SHA1:

BD755B3CC8B2492E11DC885E57B3E6F7E79BF038

SHA256:

5171E24F32B4171F642ACAF1E6B5AE03B3803D7647E0AAE819B58FEC6C14EE03

SSDEEP:

6144:/fFFlDWKlzdgKZeyxnFSJc+yzupYrNEMYYsGnGgWyB8Jtut/B3lN:/fblDJvjewnFLupYrNE3YsyGtyB8CtJf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • c.exe (PID: 3076)
    • AZORULT was detected

      • msiexec.exe (PID: 3796)
    • Connects to CnC server

      • msiexec.exe (PID: 3796)
  • SUSPICIOUS

    • Changes tracing settings of the file or console

      • msiexec.exe (PID: 3796)
    • Creates files in the user directory

      • c.exe (PID: 3076)
    • Executable content was dropped or overwritten

      • c.exe (PID: 3076)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:04:03 22:21:07+02:00
PEType: PE32
LinkerVersion: 6
CodeSize: 28160
InitializedDataSize: 197120
UninitializedDataSize: 2048
EntryPoint: 0x3834
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 03-Apr-2016 20:21:07
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 03-Apr-2016 20:21:07
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006C01
0x00006E00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44437
.rdata
0x00008000
0x000014FC
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.08681
.data
0x0000A000
0x0002D8B8
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.4589
.ndata
0x00038000
0x00012000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0004A000
0x00007720
0x00007800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.7127

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29548
1061
UNKNOWN
English - United States
RT_MANIFEST
2
5.61959
4264
UNKNOWN
English - United States
RT_ICON
3
4.84061
3752
UNKNOWN
English - United States
RT_ICON
4
6.16608
2216
UNKNOWN
English - United States
RT_ICON
5
3.91942
1640
UNKNOWN
English - United States
RT_ICON
6
5.42186
1384
UNKNOWN
English - United States
RT_ICON
7
5.58096
1128
UNKNOWN
English - United States
RT_ICON
8
3.74963
744
UNKNOWN
English - United States
RT_ICON
9
3.01957
296
UNKNOWN
English - United States
RT_ICON
103
2.73226
132
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start c.exe #AZORULT msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3076"C:\Users\admin\AppData\Local\Temp\c.exe" C:\Users\admin\AppData\Local\Temp\c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3796C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe
c.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
381
Read events
363
Write events
18
Delete events
0

Modification events

(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3796) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
3
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3076c.exeC:\Users\admin\AppData\Local\Temp\nsx6DDE.tmp
MD5:
SHA256:
3076c.exeC:\Users\admin\AppData\Local\Temp\permanent.dllexecutable
MD5:141A631E9071EC63869CFDD4691F45BF
SHA256:040752C2F4E3BEC03FE37BA2A52C091E44CCFDC47324E84E291F8F9719745B31
3076c.exeC:\Users\admin\AppData\Local\Temp\Girlfriendbinary
MD5:0ED60C622C629635F7FAB6A897C215D4
SHA256:91FC88389BCE78507BECA718C46703989B40AF05B5807289928C5161B5B21459
3076c.exeC:\Users\admin\AppData\Roaming\mung.exeexecutable
MD5:88744682D31FE3D08F156FE340925E6F
SHA256:5171E24F32B4171F642ACAF1E6B5AE03B3803D7647E0AAE819B58FEC6C14EE03
3076c.exeC:\Users\admin\AppData\Local\Temp\nsn6DEF.tmp\System.dllexecutable
MD5:75ED96254FBF894E42058062B4B4F0D1
SHA256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3796
msiexec.exe
POST
200
209.61.195.213:8080
http://209.61.195.213:8080/cass/index.php
US
text
7 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3796
msiexec.exe
209.61.195.213:8080
HopOne Internet Corporation
US
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3796
msiexec.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
3796
msiexec.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3796
msiexec.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
3796
msiexec.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
No debug info