Windows Analysis Report
ORDINE.exe

Overview

General Information

Sample Name: ORDINE.exe
Analysis ID: 679294
MD5: 30e619eed663b6696ba1269dec11e1a9
SHA1: 04ad1454bb163c8e1c5820ba591ae613dd6f6d45
SHA256: faaddcf1294c8358fc6ccc4c36ecdc9fccd03ac345b3d022db144798d611397d
Tags: AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected AsyncRAT
Antivirus detection for dropped file
Snort IDS alert for network traffic
Injects files into Windows application
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Potential browser exploit detected (process start blacklist hit)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ORDINE.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Avira: detection malicious, Label: TR/Dropper.Gen
Machine Learning detection for sample
Source: ORDINE.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Joe Sandbox ML: detected
Source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "191.101.130.243", "Ports": "7707", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "F37wL6kU6d1ln0ZzFzD1Z61sP0kXqYbm", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQALjgwS++igAkwAOyv5bgMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwODAzMDYwMjIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAILRFbpKGfwFx25WYYuVCgXl7TdoxRlXM7zcKGvdFLIDy1Bwzp0Y99L/Yy/oseRDrfihrsyph3Ms454cgfjFob5XtBvoXtPAO32uamRVh+1y+C67eBmRe/MTSmTHmQsttSmFFVBwfl5rSS3q2lhTvhPSyQlNn2Y9TAvIIqrg0gIYOW65cTGikiV1+8P+sOoCH9JWRcNUKSrTDX0O+6ZCTOc3UKBW5oj//FcsGreSZw7E2mMTX5WHJNIB5zXB6cfpPdQBwpvJWnpWfCaMgEuJdRC6EznuC0ZFfxQSSCiH8ZkS+JC/MtA/WGWHggqPo/dywuLNygPleYVxK0tVPSZTFEH7Mpo7Z+TiVL6xno7y3LtuaAUvP+yddJ/rhQOmHbs6Qn9zpV39WXz4K3JBp+OYhHUCWpPfjnE9eR4xLzwK2RfwPGhbboIj7TgAdl3YHa9R+sSM19PXHNQjXRMxoZ32Em8EmdSqzbN0lW+I+7/hc+42J22p+fKOnuC2CiBUBNk5ODph27qZ65UYRywRJIkZnCz6K9VDSeDTmF8BrlxdC89mtidHBe9s+ZmBrK4hsJ7VigYXN1J5s9aiaEmfLIGfG1mzv2f9/9Dly4k0tAx9K0PgZmpHBw6HWFjj/88CKy954G2Lb9KJNRyOLLPNs9e4eh8jWEinryjA+0RG0bxlqfdJAgMBAAGjMjAwMB0GA1UdDgQWBBSTNFdMcn6A/QRYYvQpa7SIp9dQQDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAEhlXRdBaUw7zIzKsy1KHQ5goP0TMTkmw+cP2ufXJGYE1rMRHCz9CTAPCd+OSjjzljF8sVUY403LxZdaAI0wB+6RG/3gLcMhljO83Xegx0uONr50r1VAWYwbQU/qQdzsX2epdgqt3S6d0DFzfXE68V0lXL7Plw/Bc3qlrborgVfSHpdWCTCgcJ4a8YDsA+6wi3uADUlm52ztAveJ9f7IYUk7XzevOKqsqmHt+xmWFqgiw1DWvdAx+qDYfXnko8ypz1OuffTNahU82eUiD96TBJt0Gr+d5tfPLmt1yTYa0XzxWy0r9dvYZWEbV5r03Ce2cw26V3z77OX6ZvckR1/qG0tIL06V8nXhmhV0zGGK1i9by9vivfBFQxD2EcVUyPL4URLpDoCqipskOo4bt2TLqUzssOkH41l8n6yZJl8/xYFyzH/2hfY1VS6NnLd9J2w0+ToHxXlhpwZb58JOVXSavCF6d/767aBg8v+Y+MH17RTjBuB+gk7qoJLKGqyTAhag3GvQ9aMVLBxNT99JBcmyUO/3NMTDt4ckAUpEuImvo1zvPdRZV+VnmQbfTBynoWXfw1cDPc+afE2gS55hMhk/vitY9h4fy/AbcXtwb4+Diok6tOMQ32aHVws9ForCAGEKldMlus0/+WTTpqwwgmO38oegF56GzWA3PpYUedJXTE2g==", "ServerSignature": "LnD03k7cpYYvIPzVlgkFIKRQeIVSCNDslUHUMdlARBBMyw1TZMPHK9AU16GUATrv8GN6kBdJLY0QW7A/k2nEAOJPZxlNYr02XeXsdcOs4sqLfeKPYe2250zmeejLRoK8Ycov9Eks1PKGHs4jCsX/nVTmoUjPMCjEav/y5ZWKHhMYlq0kYRdgpJdRJ1kFNqoq+OhbbizKo/z+3HCVLhI3vtIqg7opzzqCrVELXFDiwRMHKt5QNjXoyKd7jvjcmDIHbNfO05ZTmF8P624rLX1x7/Z4eZEorwOSwHqTbY9t05liSFDY0xzY8Iwjx2ci6+kKP/u3Gu9jqX4lPEulNxweH+pNLpuSzxcKhLr13jkK4Gh/jz3B4L3XB2qOzo8p6Ct/Yos3DaKUHvswTfBRY7yCyHxnvWL8bxgInaQ5nXzhqTz0EcbngcX6tJYI+pRb+db/HJeF2HsiqwFHv+074+iDOan6/yyoyjaQybCmfggxaFtknvnJW8oU+aiBZAsH8ONvOVhG3wKs/fwBrND+5MPyALU61tvQK9/KY1/JC5mTD/wtUiAyXUmp3nfZ+Wc5ZSH+D39TOMVFv0u47JE0gDFoP23TyGvBBGPc2cyH86dCznzrIfqsIxOh6IQ6Fj4u9E7Mf7CHVIBjSGw//UzjI5r9DhyATGXHGkyFoHquvUk+soc=", "BDOS": "false", "Startup_Delay": "3", "Group": "Alibaba"}
Uses 32bit PE files
Source: ORDINE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ORDINE.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: ORDINE.exe, iexplore.exe.11.dr
Source: Binary string: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists source: ORDINE.exe, iexplore.exe.11.dr
Potential browser exploit detected (process start blacklist hit)
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 191.101.130.243:7707 -> 192.168.2.5:49764
Source: Traffic Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 191.101.130.243:7707 -> 192.168.2.5:49764
Yara detected Generic Downloader
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49764 -> 191.101.130.243:7707
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: unknown TCP traffic detected without corresponding DNS query: 191.101.130.243
Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en-
Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: vbc.exe, 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: vbc.exe PID: 5660, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Uses 32bit PE files
Source: ORDINE.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: vbc.exe PID: 5660, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Detected potential crypto function
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_00B72CA9 0_2_00B72CA9
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_00B78F50 0_2_00B78F50
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BC18DB 0_2_04BC18DB
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BCAEC8 0_2_04BCAEC8
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BD5720 0_2_04BD5720
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BD0040 0_2_04BD0040
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BF5D40 0_2_04BF5D40
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BF0040 0_2_04BF0040
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04C00007 0_2_04C00007
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04C15CE8 0_2_04C15CE8
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BF5D31 0_2_04BF5D31
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BF0006 0_2_04BF0006
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BD56BE 0_2_04BD56BE
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BD5710 0_2_04BD5710
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BD0006 0_2_04BD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 6_2_05159530 6_2_05159530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 6_2_0515D5E0 6_2_0515D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 6_2_05154668 6_2_05154668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 6_2_05158C60 6_2_05158C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 6_2_05154661 6_2_05154661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 6_2_0515F298 6_2_0515F298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 6_2_05158918 6_2_05158918
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_028C2CA9 14_2_028C2CA9
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_028C8F50 14_2_028C8F50
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_0506188E 14_2_0506188E
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_0506AEC8 14_2_0506AEC8
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05075720 14_2_05075720
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05070040 14_2_05070040
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05095D40 14_2_05095D40
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05090040 14_2_05090040
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050A003F 14_2_050A003F
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05090007 14_2_05090007
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05095D3F 14_2_05095D3F
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_0507003F 14_2_0507003F
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050756BE 14_2_050756BE
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_00B7F140 CreateProcessAsUserA, 0_2_00B7F140
Sample file is different than original file name gathered from version info
Source: ORDINE.exe, 00000000.00000002.447997854.0000000000BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ORDINE.exe
Source: ORDINE.exe, 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamechrome_exe< vs ORDINE.exe
PE file contains strange resources
Source: ORDINE.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: iexplore.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ORDINE.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ORDINE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ORDINE.exe "C:\Users\user\Desktop\ORDINE.exe"
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDINE.exe.log Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe File created: C:\Users\user\AppData\Local\Temp\iexplore Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@30/5@0/1
Source: ORDINE.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\ORDINE.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: ORDINE.exe, ToFileTimeUtc.cs Base64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
Source: 0.0.ORDINE.exe.960000.0.unpack, ToFileTimeUtc.cs Base64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
Source: 6.0.vbc.exe.400000.0.unpack, Client/Settings.cs Base64 encoded string: 'MNO2Tfg03nxzwqpVgSyI/33z2xcuT7PfxueDhgv77bJLJ2QdHhStgX+CYFeiWREdns2MdlCanW0H0InAG4PkbA==', 'ZDC0fJzzQ9plOv1j5GXtPsGJMGPVDbpxPUhIMJKxXIQriOSH+DCPiVhdymVLsCVZAKHKnlz1XlY3lKsLP+ADbA==', 'xc3lrU/reoebtYPa5JoSpcJVnaTRsn/raQHWysdervWVGzzOn2lZLtDi+cBEutmb2Ws7VtDmGO/9TYgrVhEsSA==', 'vwRGgWYaVnV3Tt/zgXDAvdAosQzIU/JMmj41i95SoOcBpF47tiLu73Kdsvw6bWKYkcpCrEJfbfkziWhDZIqQNvf6AyVZtDo7YLMcpOoHzNEToB6hOxhLWdpfbd/iTT2pOl0MOBJJvt8E/2ANPg4FtAi5/UV7+iwCmUWOx2LT/Co0oF7qm3MbMsL5m0TbJyG5nNQNAGVeAZdO/pl98iCat3gg7NV79gHAlFs/oMvm3FHMs0sL+Kp3Hx+FPbqvjBCKCOm01WjWXjh3LGvgrg7AYAk6gCqzGvHIlQKSKDfQWpFwit/CUrnX9rjuBNDK1AX42JpErXNnhehoJiEQLLargunzGPp/ic3rKmh0ytwwkM2e/RsfQ2BBCJfAySs7GgWENsgCZnI4AvYwnrxoIS5c9PieP8z5wa7/hUEgMDzzzCXEUXm6yOwk9CDJUe9OQAMxVoEbCITLLy4WppVC8HkW1AWQCi2og7XGxh4sGdtc/P8FEAmp9KcCprtzdM6+SXsKy64d83/P8bG0Ds6PeDqcyiAcyWbSlqQ+hM/KpkjQ2hP4a8FktGejSHhKw0OuVLRV3aliXcoYUPMeO2GnRJ2qph6uTPzmGPE+xQ5bSwqAd4VVTwLRFSOBXOd8rZryQTIr6Yj71FDULFdepVEuGbjSVRRX7HMi6A6lncoWqkjf9f++7KfRJIeD+/bM8sFcLbdVeOFKwiGqjjjnD4SllkcCnncMfspbpAhp9ilqXwbeBTOuDQVy4p6vQhC6vGJoNpbPHCHGgozqIBVnOwKpFsTVYxWyTLkXGAFo+uBpSCxFqQ3b3SoYJYMuaOJ122Uh+myyNv++JBmcsvw6pq81pbsBqixmRPn7H+iOL1ViMHGMTIJTfw6TFD34s9Rag7qvBMSL/pA8fcxHlbEAXogkAL00+wqbY/a4HA7z42Y1tQUefYKf1QTuAk0bN+qejEhu9UGq/Z73dBDEFHiYIBbAKQk/ruKPV5R3nw7j4qxPlwPGyWqCw0s2CWx/GON98lpqr4wu0yhvZMspAI/WeK1GGTBJX5XfvWJz921CvfzIZZ/0yXafUw5BntVLWIKxhbeLmgDGgVr/yvQfgZ5IFVwl5BEzr8Zra+GcFuvNteMaaV3S3OpqfTc/b8sFL7UpX0qbYXEYHHZ9YRlwZf34CYzOVorAoFpeibHXuitEye2s/HE+x/bP1INgoSJkKkaRqXVZftgldxVNUFqTP5SYlGm1UaJyZc6osW5Di/d9v9U86OEZ4/G2PoAS8s1mH/NKQTnYuV3MRPrpPxTPs13kzAQKpDNTS+AjnmQfg7nVubbQn+RA4XXks+2wc2A+3H0ZhKu6WaXHPRyPGp3Yk3l64V3zHfdMUWHC+8ZUNwWgO59spNV5g6tihtVgDrPM+MaV8QwbugeO5es3O+WY61FpagqypsdF9/b7DBzdEdX6ZPDbqfuifZIWygYKVoHOJLa88Qv/wH54rC+rj2cOTnwdkDZA3NFEvqpIx6bhSuVvX9n1a0Palsx8zET0D4K2jNx7kh5EzDf9LMGVWY+kO9qWzOnKBm3yCSyaJgaMLnSvPwcbaKZf3R6nr9nCJPB+f9+zPJ847tSkl/XXYB9cuJfs0vPgc+VzpVJ4RGdGTdFXkxWizSEpq4PjgltwF8sPr4lAn7k0PLjt44CcgvrUknpMPw5m9+4b3NVjh97I3HC6jTIBFekilXXr9c0WC/s7/3GW2i2ruaTfGNwGYG0bxmjLobsAhgeenxHBsPwqPMFwhTEhUB/wnxlF8KQYWgqpW8ORnyq3e6KZtuIgCt1wkpTA+O2xiMQdfLiOjINoZ1UsSMb6CGWW8S62OxqzSpa0V4Hsxfwrp7eRO1uVrFFswIFsuTo7rm7cpR+RMANzbNtCzKtqJ2/fTXAvsPENwkdXnOckdlISrc6LYz5CyX9gyttHlpxB4OHbyUAvKvBRzfsXLQXhRsEIG9p95cvJEXbp93HacMaXdyUJm1aNDU3oOSlc9XapxGUgNqsiAnBsxLxbp9rBGYeiEawZI8or6t8lNl9P5wKtad4Ewn0mgCDuolsI+PgcmmnsHBgGSoN07GXgEWO343atuKnmDIdUiNJv9VHrlWDuy5WSQ7IwgC+pMK/PJ0SLma8d+Gy+72CIHwNeU+36y0ZOCUZ8u//cNBijQdu2fFViV9WDq5fd4YiLDA/bO18xoLrb5NtVQ9bDdpYuaICA4JsAVC8t/Aa43q3liHbfnwXxd0FVPe6cgfC6ccVnKi8M+FQMKvL6dsqAa2mOmSaWGUECVE/Z5WzElkL12BKZHD7NNp+qyX5GNZsHFBzXhxHArYRNKCYU6mQdj61dx3KrJuZtnME=', 'ydZqq1YhtqKCG4NjjeqNoIlJfBAgSONldmjlGLuftDCs+us7J5cx9NLfk5yat1y72M3NOcIcFW2UCvEwqit5Qg==', 'V0UW6o6hK8fIoHg027mAgerhquyDb27aKYrTh4U1scs72neC5oNo9A0Vxsh2mTUQ80uJJVQTH4ct5F0bGixtqw==', 'mzAEJafT5yxGpL8rfOe4t2Igrf9atyXT3SF3THcuGt9tD2iGhN918ZFQk84V54i6KRC+gF4eH/2gqcRVxt4P1w=='
Source: iexplore.exe.11.dr, ToFileTimeUtc.cs Base64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
Source: C:\Users\user\Desktop\ORDINE.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ORDINE.exe Static file information: File size 3145728 > 1048576
Source: ORDINE.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ORDINE.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: ORDINE.exe, iexplore.exe.11.dr
Source: Binary string: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists source: ORDINE.exe, iexplore.exe.11.dr

Data Obfuscation
barindex
Binary or sample is protected by dotNetProtector
Source: ORDINE.exe, 00000000.00000000.411404596.0000000000962000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: dotNetProtector
Source: ORDINE.exe, 00000000.00000000.411404596.0000000000962000.00000020.00000001.01000000.00000003.sdmp String found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
Source: ORDINE.exe String found in binary or memory: dotNetProtector
Source: ORDINE.exe String found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
Source: iexplore.exe.11.dr String found in binary or memory: dotNetProtector
Source: iexplore.exe.11.dr String found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
.NET source code contains potential unpacker
Source: 6.0.vbc.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs .Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_00B7E1DD push B15446CAh; retf 0_2_00B7E1E2
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BC0F24 push ds; iretd 0_2_04BC0F28
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BC0E8C push edx; ret 0_2_04BC0E8F
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BC0289 push ebp; iretd 0_2_04BC028C
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BC02C8 push ss; iretd 0_2_04BC02CB
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BD4C65 push es; ret 0_2_04BD4C66
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BF54A1 push edi; retf 0047h 0_2_04BF54A2
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04BF5345 push esi; retf 0_2_04BF5346
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04C053A3 push ebp; ret 0_2_04C053A4
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04C05D13 pushad ; ret 0_2_04C05D25
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04C10EC8 push ss; ret 0_2_04C10ECB
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04C118D9 push cs; iretd 0_2_04C118DF
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_028CE1DD push B15446CAh; retf 14_2_028CE1E2
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05060E8C push edx; ret 14_2_05060E8F
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05060289 push ebp; iretd 14_2_0506028C
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050602C8 push ss; iretd 14_2_050602CB
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05074C65 push es; ret 14_2_05074C66
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05095A02 push E803D85Eh; ret 14_2_05095A09
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_05095345 push esi; retf 14_2_05095346
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050954A1 push edi; retf 0047h 14_2_050954A2
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050959E3 push E804CF5Eh; retf 14_2_05095A01
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050A5D13 pushad ; ret 14_2_050A5D25
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050A53A3 push ebp; ret 14_2_050A53A4
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050C3194 push esi; iretd 14_2_050C3197
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Code function: 14_2_050C02D8 push es; iretd 14_2_050C02DB
PE file contains an invalid checksum
Source: ORDINE.exe Static PE information: real checksum: 0x7d9b9 should be: 0x308bb9
Source: iexplore.exe.11.dr Static PE information: real checksum: 0x7d9b9 should be: 0x308bb9
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ORDINE.exe, 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, iexplore.exe, 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, iexplore.exe, 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ORDINE.exe TID: 5780 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4224 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4224 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5304 Thread sleep count: 9790 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe TID: 5480 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 3928 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ORDINE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Window / User API: threadDelayed 9790 Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: iexplore.exe, 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\ORDINE.exe Code function: 0_2_04C1B854 CheckRemoteDebuggerPresent, 0_2_04C1B854
Enables debug privileges
Source: C:\Users\user\Desktop\ORDINE.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ORDINE.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects files into Windows application
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Injected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Injected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Injected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Injected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\ORDINE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 40E000 Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 410000 Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 851008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 340000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 342000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 34E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 350000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 464008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ORDINE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 340000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f Jump to behavior
Source: vbc.exe, 00000006.00000002.684777573.0000000006C5B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.457645035.0000000009121000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.684581194.0000000006C31000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ORDINE.exe Queries volume information: C:\Users\user\Desktop\ORDINE.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Queries volume information: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe Queries volume information: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ORDINE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679294 Sample: ORDINE.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 6 other signatures 2->64 7 ORDINE.exe 4 2->7         started        11 iexplore.exe 3 2->11         started        13 iexplore.exe 2 2->13         started        process3 file4 50 C:\Users\user\AppData\...\ORDINE.exe.log, ASCII 7->50 dropped 68 Writes to foreign memory regions 7->68 70 Injects a PE file into a foreign processes 7->70 72 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->72 15 cmd.exe 3 7->15         started        18 cmd.exe 2 7->18         started        21 vbc.exe 2 7->21         started        24 cmd.exe 1 7->24         started        74 Antivirus detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 78 Injects files into Windows application 11->78 26 cmd.exe 1 11->26         started        28 cmd.exe 1 11->28         started        30 cmd.exe 2 11->30         started        32 2 other processes 11->32 signatures5 process6 dnsIp7 52 C:\Users\user\AppData\Local\...\iexplore.exe, PE32 15->52 dropped 54 C:\Users\...\iexplore.exe:Zone.Identifier, ASCII 15->54 dropped 34 conhost.exe 15->34         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 18->66 36 conhost.exe 18->36         started        56 191.101.130.243, 49764, 7707 MAJESTIC-HOSTING-01US Chile 21->56 38 conhost.exe 24->38         started        40 schtasks.exe 1 24->40         started        42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
191.101.130.243
 unknown Chile
396073 MAJESTIC-HOSTING-01US true