analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

roma.exe

Full analysis: https://app.any.run/tasks/08ba655d-7c5b-4308-b9b7-d3e6b5a98474
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: May 20, 2019, 17:00:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
azorult
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5:

9788BDE2CD3B67266E13950C2D7FFE95

SHA1:

6144955BA1F6052E3F8CFB5C00E282B261B3EA14

SHA256:

FC74694753A09080554662E298C29B2D1BAC75DEB38B80311CDDD0974AE891B7

SSDEEP:

3072:QBBA75sieYcBRv5eEjNF5IyX/4AKDL7RCqYBD:6B6H0v5eEjNIyvvmLlC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Actions looks like stealing of personal data

      • roma.exe (PID: 4024)
    • AZORULT was detected

      • roma.exe (PID: 4024)
    • Connects to CnC server

      • roma.exe (PID: 4024)
    • Loads dropped or rewritten executable

      • roma.exe (PID: 4024)
  • SUSPICIOUS

    • Application launched itself

      • roma.exe (PID: 3604)
    • Creates files in the user directory

      • roma.exe (PID: 4024)
    • Executable content was dropped or overwritten

      • roma.exe (PID: 4024)
    • Reads the cookies of Mozilla Firefox

      • roma.exe (PID: 4024)
    • Reads the cookies of Google Chrome

      • roma.exe (PID: 4024)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:05:20 09:51:43+02:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 118784
InitializedDataSize: 372736
UninitializedDataSize: 528384
EntryPoint: 0x9eb50
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows command line
FileVersionNumber: 0.3.3.6
ProductVersionNumber: 5.8.8.6
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: dry-soled
FileDescription: subagency
FileVersion: 0.3.3.6
InternalName: euphemism's.exe
LegalCopyright: Copyright (C) pyruvil 2018
OriginalFileName: canvasser.exe
ProductName: cross-curve
ProductVersion: 5.8.8.6

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 20-May-2019 07:51:43
Detected languages:
  • English - United States
CompanyName: dry-soled
FileDescription: subagency
FileVersion: 0.3.3.6
InternalName: euphemism's.exe
LegalCopyright: Copyright (C) pyruvil 2018
OriginalFilename: canvasser.exe
ProductName: cross-curve
ProductVersion: 5.8.8.6

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 20-May-2019 07:51:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00081000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00082000
0x0001D000
0x0001CE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.93755
.rsrc
0x0009F000
0x0005B000
0x0005B000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.736046

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.91161
381
Latin 1 / Western European
English - United States
RT_MANIFEST
2
1.52882
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
3
0.837549
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
4
1.26691
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
5
0.748534
67624
Latin 1 / Western European
UNKNOWN
RT_ICON
6
0.966426
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
ADEANAP
0.549879
115200
Latin 1 / Western European
UNKNOWN
ERYHW
XOLYCX
0.534739
197
Latin 1 / Western European
UNKNOWN
ERYHW

Imports

KERNEL32.DLL
MSWSOCK.dll
WINMM.dll
WINSPOOL.DRV
wsnmp32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start roma.exe #AZORULT roma.exe

Process information

PID
CMD
Path
Indicators
Parent process
3604"C:\Users\admin\AppData\Local\Temp\roma.exe" C:\Users\admin\AppData\Local\Temp\roma.exe
explorer.exe
User:
admin
Company:
dry-soled
Integrity Level:
MEDIUM
Description:
subagency
Exit code:
0
Version:
0.3.3.6
4024"C:\Users\admin\AppData\Local\Temp\roma.exe" C:\Users\admin\AppData\Local\Temp\roma.exe
roma.exe
User:
admin
Company:
dry-soled
Integrity Level:
MEDIUM
Description:
subagency
Exit code:
0
Version:
0.3.3.6
Total events
39
Read events
21
Write events
18
Delete events
0

Modification events

(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(4024) roma.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\roma_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
48
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:88FF191FD8648099592ED28EE6C442A5
SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dllexecutable
MD5:D0289835D97D103BAD0DD7B9637538A1
SHA256:91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dllexecutable
MD5:FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA256:8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dllexecutable
MD5:FDBA0DB0A1652D86CD471EAA509E56EA
SHA256:2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:EFF11130BFE0D9C90C0026BF2FB219AE
SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dllexecutable
MD5:12CC7D8017023EF04EBDD28EF9558305
SHA256:7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dllexecutable
MD5:D500D9E24F33933956DF0E26F087FD91
SHA256:BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:E479444BDD4AE4577FD32314A68F5D28
SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:D97A1CB141C6806F0101A5ED2673A63D
SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
4024roma.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dllexecutable
MD5:5F73A814936C8E7E4A2DFD68876143C8
SHA256:96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4024
roma.exe
POST
200
103.229.72.54:80
http://rajaasia.co.id/wp-content/mee/32/index.php
ID
text
2 b
malicious
4024
roma.exe
POST
200
103.229.72.54:80
http://rajaasia.co.id/wp-content/mee/32/index.php
ID
binary
4.27 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4024
roma.exe
103.229.72.54:80
rajaasia.co.id
PT Master Web Network
ID
suspicious

DNS requests

Domain
IP
Reputation
rajaasia.co.id
  • 103.229.72.54
malicious

Threats

PID
Process
Class
Message
4024
roma.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
4024
roma.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
4024
roma.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
4024
roma.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
4024
roma.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
2 ETPRO signatures available at the full report
Process
Message
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll
roma.exe
User32.dll