File name:

e-Archive Dekont.exe

Full analysis: https://app.any.run/tasks/9d3f770d-4518-4cf8-b6e7-601347426b42
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: July 19, 2024, 00:59:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
netreactor
stealer
azorult
loader
hiloti
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

7A0093C743FC33A5E111F2FEC269F79B

SHA1:

FEADB2CA02D41F2D834B8577F39A582D4BDD734F

SHA256:

722EF401E5CBB067C5C33FAA402774D3C75EF08E0C8CC4D7E66A9CFA53684088

SSDEEP:

12288:9ydPkF/ZAC8I1SkXHmjQ961/Tl9/EHDO2wbr:U+F/ZA/8SkXx61LIHDOn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • e-Archive Dekont.exe (PID: 3332)

    • Uses Task Scheduler to run other applications

      • e-Archive Dekont.exe (PID: 3332)

    • Stealers network behavior

      • e-Archive Dekont.exe (PID: 3144)

    • AZORULT has been detected (SURICATA)

      • e-Archive Dekont.exe (PID: 3144)

    • Connects to the CnC server

      • e-Archive Dekont.exe (PID: 3144)

    • HILOTI has been detected (SURICATA)

      • e-Archive Dekont.exe (PID: 3144)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • e-Archive Dekont.exe (PID: 3332)

    • Reads the Internet Settings

      • e-Archive Dekont.exe (PID: 3332)
      • e-Archive Dekont.exe (PID: 3144)

    • Reads security settings of Internet Explorer

      • e-Archive Dekont.exe (PID: 3332)
      • e-Archive Dekont.exe (PID: 3144)

    • Application launched itself

      • e-Archive Dekont.exe (PID: 3332)

    • Contacting a server suspected of hosting an CnC

      • e-Archive Dekont.exe (PID: 3144)

  • INFO

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3396)

    • Reads the computer name

      • e-Archive Dekont.exe (PID: 3332)
      • wmpnscfg.exe (PID: 3396)
      • e-Archive Dekont.exe (PID: 3144)

    • Checks supported languages

      • e-Archive Dekont.exe (PID: 3332)
      • wmpnscfg.exe (PID: 3396)
      • e-Archive Dekont.exe (PID: 3144)

    • Reads the machine GUID from the registry

      • e-Archive Dekont.exe (PID: 3332)
      • e-Archive Dekont.exe (PID: 3144)

    • Creates files or folders in the user directory

      • e-Archive Dekont.exe (PID: 3332)
      • e-Archive Dekont.exe (PID: 3144)

    • .NET Reactor protector has been detected

      • e-Archive Dekont.exe (PID: 3332)

    • Create files in a temporary directory

      • e-Archive Dekont.exe (PID: 3332)

    • Reads Environment values

      • e-Archive Dekont.exe (PID: 3144)

    • Reads product name

      • e-Archive Dekont.exe (PID: 3144)

    • Checks proxy server information

      • e-Archive Dekont.exe (PID: 3144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:06 00:58:56+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 492032
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x79ffe
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsft
FileDescription: Comunication Client
FileVersion: 1.0.0.0
InternalName: Get.exe
LegalCopyright: Copyright © 2016
LegalTrademarks: -
OriginalFileName: Get.exe
ProductName: Comunication Client
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT e-archive dekont.exe wmpnscfg.exe no specs schtasks.exe no specs #AZORULT e-archive dekont.exe

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VbxFiQYCyFDgGL" /XML "C:\Users\admin\AppData\Local\Temp\tmp95DE.tmp"C:\Windows\System32\schtasks.exee-Archive Dekont.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3144"C:\Users\admin\AppData\Local\Temp\e-Archive Dekont.exe"C:\Users\admin\AppData\Local\Temp\e-Archive Dekont.exe
e-Archive Dekont.exe
User:
admin
Company:
Microsft
Integrity Level:
MEDIUM
Description:
Comunication Client
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\e-archive dekont.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3332"C:\Users\admin\AppData\Local\Temp\e-Archive Dekont.exe" C:\Users\admin\AppData\Local\Temp\e-Archive Dekont.exe
explorer.exe
User:
admin
Company:
Microsft
Integrity Level:
MEDIUM
Description:
Comunication Client
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\e-archive dekont.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3396"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
1 700
Read events
1 666
Write events
28
Delete events
6

Modification events

(PID) Process:(3332) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3332) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3332) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3332) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3144) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3144) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3144) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3144) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3144) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3144) e-Archive Dekont.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
Executable files
1
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3144e-Archive Dekont.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\VRPYNMA1.txttext
MD5:5AF69B2E3F661322FE2A6B4470B59583
SHA256:EE967DD495426BA8AFE24FA23687B563E9590314A0743044A99F49B7A0AA1B0B
3144e-Archive Dekont.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\T2DKZZHM.txttext
MD5:35CAC8F5A0170128B1C75CE0B0D10A83
SHA256:03A461F14CCFC112EA8966AD78BED01EF43F3CBA14CB572DF9C1328BB443A358
3332e-Archive Dekont.exeC:\Users\admin\AppData\Roaming\VbxFiQYCyFDgGL.exeexecutable
MD5:7A0093C743FC33A5E111F2FEC269F79B
SHA256:722EF401E5CBB067C5C33FAA402774D3C75EF08E0C8CC4D7E66A9CFA53684088
3332e-Archive Dekont.exeC:\Users\admin\AppData\Local\Temp\tmp95DE.tmpxml
MD5:6B4A9619CDFE5DE074FC0EA6A7E22C83
SHA256:B41058E0531493D30FDF534F272CDDB781D7718B81A5ED06325407041F6CE25F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
15
DNS requests
8
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
23.50.131.216:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
whitelisted
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1372
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3144
e-Archive Dekont.exe
POST
302
103.224.212.216:80
http://5gw4d.xyz/PL341/index.php
unknown
unknown
1060
svchost.exe
GET
304
87.248.204.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
whitelisted
3144
e-Archive Dekont.exe
GET
200
199.59.243.226:80
http://ww25.5gw4d.xyz/PL341/index.php?subid1=20240719-1100-34db-b8b4-4d09e6b3a92a
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
2564
svchost.exe
239.255.255.250:3702
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1372
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 23.50.131.216
  • 23.50.131.200
  • 87.248.204.0
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
5gw4d.xyz
  • 103.224.212.216
unknown
ww25.5gw4d.xyz
  • 199.59.243.226
unknown

Threats

PID
Process
Class
Message
3144
e-Archive Dekont.exe
Potentially Bad Traffic
ET HUNTING Hiloti Style GET to PHP with invalid terse MSIE headers
3144
e-Archive Dekont.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/AZORult V3.3 Client Checkin M2
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e-Archive Dekont.exe