Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDINE.exe

Overview

General Information

Sample Name:ORDINE.exe
Analysis ID:679294
MD5:30e619eed663b6696ba1269dec11e1a9
SHA1:04ad1454bb163c8e1c5820ba591ae613dd6f6d45
SHA256:faaddcf1294c8358fc6ccc4c36ecdc9fccd03ac345b3d022db144798d611397d
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected AsyncRAT
Antivirus detection for dropped file
Snort IDS alert for network traffic
Injects files into Windows application
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Binary or sample is protected by dotNetProtector
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Potential browser exploit detected (process start blacklist hit)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • ORDINE.exe (PID: 5760 cmdline: "C:\Users\user\Desktop\ORDINE.exe" MD5: 30E619EED663B6696BA1269DEC11E1A9)
    • vbc.exe (PID: 1164 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 3472 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5416 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6000 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5736 cmdline: cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • iexplore.exe (PID: 2848 cmdline: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: 30E619EED663B6696BA1269DEC11E1A9)
    • vbc.exe (PID: 5660 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • cmd.exe (PID: 4976 cmdline: cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2432 cmdline: "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 5348 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4448 cmdline: cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • BackgroundTransferHost.exe (PID: 2432 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
  • iexplore.exe (PID: 4604 cmdline: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe MD5: 30E619EED663B6696BA1269DEC11E1A9)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "191.101.130.243", "Ports": "7707", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "F37wL6kU6d1ln0ZzFzD1Z61sP0kXqYbm", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQALjgwS++igAkwAOyv5bgMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwODAzMDYwMjIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAILRFbpKGfwFx25WYYuVCgXl7TdoxRlXM7zcKGvdFLIDy1Bwzp0Y99L/Yy/oseRDrfihrsyph3Ms454cgfjFob5XtBvoXtPAO32uamRVh+1y+C67eBmRe/MTSmTHmQsttSmFFVBwfl5rSS3q2lhTvhPSyQlNn2Y9TAvIIqrg0gIYOW65cTGikiV1+8P+sOoCH9JWRcNUKSrTDX0O+6ZCTOc3UKBW5oj//FcsGreSZw7E2mMTX5WHJNIB5zXB6cfpPdQBwpvJWnpWfCaMgEuJdRC6EznuC0ZFfxQSSCiH8ZkS+JC/MtA/WGWHggqPo/dywuLNygPleYVxK0tVPSZTFEH7Mpo7Z+TiVL6xno7y3LtuaAUvP+yddJ/rhQOmHbs6Qn9zpV39WXz4K3JBp+OYhHUCWpPfjnE9eR4xLzwK2RfwPGhbboIj7TgAdl3YHa9R+sSM19PXHNQjXRMxoZ32Em8EmdSqzbN0lW+I+7/hc+42J22p+fKOnuC2CiBUBNk5ODph27qZ65UYRywRJIkZnCz6K9VDSeDTmF8BrlxdC89mtidHBe9s+ZmBrK4hsJ7VigYXN1J5s9aiaEmfLIGfG1mzv2f9/9Dly4k0tAx9K0PgZmpHBw6HWFjj/88CKy954G2Lb9KJNRyOLLPNs9e4eh8jWEinryjA+0RG0bxlqfdJAgMBAAGjMjAwMB0GA1UdDgQWBBSTNFdMcn6A/QRYYvQpa7SIp9dQQDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAEhlXRdBaUw7zIzKsy1KHQ5goP0TMTkmw+cP2ufXJGYE1rMRHCz9CTAPCd+OSjjzljF8sVUY403LxZdaAI0wB+6RG/3gLcMhljO83Xegx0uONr50r1VAWYwbQU/qQdzsX2epdgqt3S6d0DFzfXE68V0lXL7Plw/Bc3qlrborgVfSHpdWCTCgcJ4a8YDsA+6wi3uADUlm52ztAveJ9f7IYUk7XzevOKqsqmHt+xmWFqgiw1DWvdAx+qDYfXnko8ypz1OuffTNahU82eUiD96TBJt0Gr+d5tfPLmt1yTYa0XzxWy0r9dvYZWEbV5r03Ce2cw26V3z77OX6ZvckR1/qG0tIL06V8nXhmhV0zGGK1i9by9vivfBFQxD2EcVUyPL4URLpDoCqipskOo4bt2TLqUzssOkH41l8n6yZJl8/xYFyzH/2hfY1VS6NnLd9J2w0+ToHxXlhpwZb58JOVXSavCF6d/767aBg8v+Y+MH17RTjBuB+gk7qoJLKGqyTAhag3GvQ9aMVLBxNT99JBcmyUO/3NMTDt4ckAUpEuImvo1zvPdRZV+VnmQbfTBynoWXfw1cDPc+afE2gS55hMhk/vitY9h4fy/AbcXtwb4+Diok6tOMQ32aHVws9ForCAGEKldMlus0/+WTTpqwwgmO38oegF56GzWA3PpYUedJXTE2g==", "ServerSignature": "LnD03k7cpYYvIPzVlgkFIKRQeIVSCNDslUHUMdlARBBMyw1TZMPHK9AU16GUATrv8GN6kBdJLY0QW7A/k2nEAOJPZxlNYr02XeXsdcOs4sqLfeKPYe2250zmeejLRoK8Ycov9Eks1PKGHs4jCsX/nVTmoUjPMCjEav/y5ZWKHhMYlq0kYRdgpJdRJ1kFNqoq+OhbbizKo/z+3HCVLhI3vtIqg7opzzqCrVELXFDiwRMHKt5QNjXoyKd7jvjcmDIHbNfO05ZTmF8P624rLX1x7/Z4eZEorwOSwHqTbY9t05liSFDY0xzY8Iwjx2ci6+kKP/u3Gu9jqX4lPEulNxweH+pNLpuSzxcKhLr13jkK4Gh/jz3B4L3XB2qOzo8p6Ct/Yos3DaKUHvswTfBRY7yCyHxnvWL8bxgInaQ5nXzhqTz0EcbngcX6tJYI+pRb+db/HJeF2HsiqwFHv+074+iDOan6/yyoyjaQybCmfggxaFtknvnJW8oU+aiBZAsH8ONvOVhG3wKs/fwBrND+5MPyALU61tvQK9/KY1/JC5mTD/wtUiAyXUmp3nfZ+Wc5ZSH+D39TOMVFv0u47JE0gDFoP23TyGvBBGPc2cyH86dCznzrIfqsIxOh6IQ6Fj4u9E7Mf7CHVIBjSGw//UzjI5r9DhyATGXHGkyFoHquvUk+soc=", "BDOS": "false", "Startup_Delay": "3", "Group": "Alibaba"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x102bf2:$x1: AsyncRAT
  • 0x102c30:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x8243:$x1: AsyncRAT
  • 0x8281:$x1: AsyncRAT
00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xa65d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x35f93:$x1: AsyncRAT
    • 0x35fd1:$x1: AsyncRAT
    • 0x56ef7:$x1: AsyncRAT
    • 0x56f35:$x1: AsyncRAT
    0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.0.vbc.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        6.0.vbc.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          6.0.vbc.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x99c1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:191.101.130.243192.168.2.57707497642035595 08/05/22-14:47:38.477674
          SID:2035595
          Source Port:7707
          Destination Port:49764
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:191.101.130.243192.168.2.57707497642030673 08/05/22-14:47:38.477674
          SID:2030673
          Source Port:7707
          Destination Port:49764
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: ORDINE.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeAvira: detection malicious, Label: TR/Dropper.Gen
          Machine Learning detection for sample
          Source: ORDINE.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJoe Sandbox ML: detected
          Source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "191.101.130.243", "Ports": "7707", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "F37wL6kU6d1ln0ZzFzD1Z61sP0kXqYbm", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQALjgwS++igAkwAOyv5bgMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwODAzMDYwMjIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAILRFbpKGfwFx25WYYuVCgXl7TdoxRlXM7zcKGvdFLIDy1Bwzp0Y99L/Yy/oseRDrfihrsyph3Ms454cgfjFob5XtBvoXtPAO32uamRVh+1y+C67eBmRe/MTSmTHmQsttSmFFVBwfl5rSS3q2lhTvhPSyQlNn2Y9TAvIIqrg0gIYOW65cTGikiV1+8P+sOoCH9JWRcNUKSrTDX0O+6ZCTOc3UKBW5oj//FcsGreSZw7E2mMTX5WHJNIB5zXB6cfpPdQBwpvJWnpWfCaMgEuJdRC6EznuC0ZFfxQSSCiH8ZkS+JC/MtA/WGWHggqPo/dywuLNygPleYVxK0tVPSZTFEH7Mpo7Z+TiVL6xno7y3LtuaAUvP+yddJ/rhQOmHbs6Qn9zpV39WXz4K3JBp+OYhHUCWpPfjnE9eR4xLzwK2RfwPGhbboIj7TgAdl3YHa9R+sSM19PXHNQjXRMxoZ32Em8EmdSqzbN0lW+I+7/hc+42J22p+fKOnuC2CiBUBNk5ODph27qZ65UYRywRJIkZnCz6K9VDSeDTmF8BrlxdC89mtidHBe9s+ZmBrK4hsJ7VigYXN1J5s9aiaEmfLIGfG1mzv2f9/9Dly4k0tAx9K0PgZmpHBw6HWFjj/88CKy954G2Lb9KJNRyOLLPNs9e4eh8jWEinryjA+0RG0bxlqfdJAgMBAAGjMjAwMB0GA1UdDgQWBBSTNFdMcn6A/QRYYvQpa7SIp9dQQDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAEhlXRdBaUw7zIzKsy1KHQ5goP0TMTkmw+cP2ufXJGYE1rMRHCz9CTAPCd+OSjjzljF8sVUY403LxZdaAI0wB+6RG/3gLcMhljO83Xegx0uONr50r1VAWYwbQU/qQdzsX2epdgqt3S6d0DFzfXE68V0lXL7Plw/Bc3qlrborgVfSHpdWCTCgcJ4a8YDsA+6wi3uADUlm52ztAveJ9f7IYUk7XzevOKqsqmHt+xmWFqgiw1DWvdAx+qDYfXnko8ypz1OuffTNahU82eUiD96TBJt0Gr+d5tfPLmt1yTYa0XzxWy0r9dvYZWEbV5r03Ce2cw26V3z77OX6ZvckR1/qG0tIL06V8nXhmhV0zGGK1i9by9vivfBFQxD2EcVUyPL4URLpDoCqipskOo4bt2TLqUzssOkH41l8n6yZJl8/xYFyzH/2hfY1VS6NnLd9J2w0+ToHxXlhpwZb58JOVXSavCF6d/767aBg8v+Y+MH17RTjBuB+gk7qoJLKGqyTAhag3GvQ9aMVLBxNT99JBcmyUO/3NMTDt4ckAUpEuImvo1zvPdRZV+VnmQbfTBynoWXfw1cDPc+afE2gS55hMhk/vitY9h4fy/AbcXtwb4+Diok6tOMQ32aHVws9ForCAGEKldMlus0/+WTTpqwwgmO38oegF56GzWA3PpYUedJXTE2g==", "ServerSignature": "LnD03k7cpYYvIPzVlgkFIKRQeIVSCNDslUHUMdlARBBMyw1TZMPHK9AU16GUATrv8GN6kBdJLY0QW7A/k2nEAOJPZxlNYr02XeXsdcOs4sqLfeKPYe2250zmeejLRoK8Ycov9Eks1PKGHs4jCsX/nVTmoUjPMCjEav/y5ZWKHhMYlq0kYRdgpJdRJ1kFNqoq+OhbbizKo/z+3HCVLhI3vtIqg7opzzqCrVELXFDiwRMHKt5QNjXoyKd7jvjcmDIHbNfO05ZTmF8P624rLX1x7/Z4eZEorwOSwHqTbY9t05liSFDY0xzY8Iwjx2ci6+kKP/u3Gu9jqX4lPEulNxweH+pNLpuSzxcKhLr13jkK4Gh/jz3B4L3XB2qOzo8p6Ct/Yos3DaKUHvswTfBRY7yCyHxnvWL8bxgInaQ5nXzhqTz0EcbngcX6tJYI+pRb+db/HJeF2HsiqwFHv+074+iDOan6/yyoyjaQybCmfggxaFtknvnJW8oU+aiBZAsH8ONvOVhG3wKs/fwBrND+5MPyALU61tvQK9/KY1/JC5mTD/wtUiAyXUmp3nfZ+Wc5ZSH+D39TOMVFv0u47JE0gDFoP23TyGvBBGPc2cyH86dCznzrIfqsIxOh6IQ6Fj4u9E7Mf7CHVIBjSGw//UzjI5r9DhyATGXHGkyFoHquvUk+soc=", "BDOS": "false", "Startup_Delay": "3", "Group": "Alibaba"}
          Source: ORDINE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: ORDINE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: ORDINE.exe, iexplore.exe.11.dr
          Source: Binary string: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists source: ORDINE.exe, iexplore.exe.11.dr
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 191.101.130.243:7707 -> 192.168.2.5:49764
          Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 191.101.130.243:7707 -> 192.168.2.5:49764
          Yara detected Generic Downloader
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Joe Sandbox ViewASN Name: MAJESTIC-HOSTING-01US MAJESTIC-HOSTING-01US
          Source: global trafficTCP traffic: 192.168.2.5:49764 -> 191.101.130.243:7707
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: unknownTCP traffic detected without corresponding DNS query: 191.101.130.243
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en-
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: vbc.exe, 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: vbc.exe PID: 5660, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: ORDINE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: vbc.exe PID: 5660, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B72CA9
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B78F50
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC18DB
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BCAEC8
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD5720
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD0040
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF5D40
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF0040
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C00007
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C15CE8
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF5D31
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF0006
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD56BE
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD5710
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD0006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05159530
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0515D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05154668
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05158C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05154661
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_0515F298
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 6_2_05158918
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_028C2CA9
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_028C8F50
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0506188E
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0506AEC8
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05075720
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05070040
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095D40
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05090040
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050A003F
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05090007
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095D3F
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_0507003F
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050756BE
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B7F140 CreateProcessAsUserA,
          Source: ORDINE.exe, 00000000.00000002.447997854.0000000000BDA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs ORDINE.exe
          Source: ORDINE.exe, 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome_exe< vs ORDINE.exe
          Source: ORDINE.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: iexplore.exe.11.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: ORDINE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ORDINE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\ORDINE.exe "C:\Users\user\Desktop\ORDINE.exe"
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
          Source: C:\Users\user\Desktop\ORDINE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDINE.exe.logJump to behavior
          Source: C:\Users\user\Desktop\ORDINE.exeFile created: C:\Users\user\AppData\Local\Temp\iexploreJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@30/5@0/1
          Source: ORDINE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\ORDINE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: ORDINE.exe, ToFileTimeUtc.csBase64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
          Source: 0.0.ORDINE.exe.960000.0.unpack, ToFileTimeUtc.csBase64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
          Source: 6.0.vbc.exe.400000.0.unpack, Client/Settings.csBase64 encoded string: 'MNO2Tfg03nxzwqpVgSyI/33z2xcuT7PfxueDhgv77bJLJ2QdHhStgX+CYFeiWREdns2MdlCanW0H0InAG4PkbA==', 'ZDC0fJzzQ9plOv1j5GXtPsGJMGPVDbpxPUhIMJKxXIQriOSH+DCPiVhdymVLsCVZAKHKnlz1XlY3lKsLP+ADbA==', 'xc3lrU/reoebtYPa5JoSpcJVnaTRsn/raQHWysdervWVGzzOn2lZLtDi+cBEutmb2Ws7VtDmGO/9TYgrVhEsSA==', 'vwRGgWYaVnV3Tt/zgXDAvdAosQzIU/JMmj41i95SoOcBpF47tiLu73Kdsvw6bWKYkcpCrEJfbfkziWhDZIqQNvf6AyVZtDo7YLMcpOoHzNEToB6hOxhLWdpfbd/iTT2pOl0MOBJJvt8E/2ANPg4FtAi5/UV7+iwCmUWOx2LT/Co0oF7qm3MbMsL5m0TbJyG5nNQNAGVeAZdO/pl98iCat3gg7NV79gHAlFs/oMvm3FHMs0sL+Kp3Hx+FPbqvjBCKCOm01WjWXjh3LGvgrg7AYAk6gCqzGvHIlQKSKDfQWpFwit/CUrnX9rjuBNDK1AX42JpErXNnhehoJiEQLLargunzGPp/ic3rKmh0ytwwkM2e/RsfQ2BBCJfAySs7GgWENsgCZnI4AvYwnrxoIS5c9PieP8z5wa7/hUEgMDzzzCXEUXm6yOwk9CDJUe9OQAMxVoEbCITLLy4WppVC8HkW1AWQCi2og7XGxh4sGdtc/P8FEAmp9KcCprtzdM6+SXsKy64d83/P8bG0Ds6PeDqcyiAcyWbSlqQ+hM/KpkjQ2hP4a8FktGejSHhKw0OuVLRV3aliXcoYUPMeO2GnRJ2qph6uTPzmGPE+xQ5bSwqAd4VVTwLRFSOBXOd8rZryQTIr6Yj71FDULFdepVEuGbjSVRRX7HMi6A6lncoWqkjf9f++7KfRJIeD+/bM8sFcLbdVeOFKwiGqjjjnD4SllkcCnncMfspbpAhp9ilqXwbeBTOuDQVy4p6vQhC6vGJoNpbPHCHGgozqIBVnOwKpFsTVYxWyTLkXGAFo+uBpSCxFqQ3b3SoYJYMuaOJ122Uh+myyNv++JBmcsvw6pq81pbsBqixmRPn7H+iOL1ViMHGMTIJTfw6TFD34s9Rag7qvBMSL/pA8fcxHlbEAXogkAL00+wqbY/a4HA7z42Y1tQUefYKf1QTuAk0bN+qejEhu9UGq/Z73dBDEFHiYIBbAKQk/ruKPV5R3nw7j4qxPlwPGyWqCw0s2CWx/GON98lpqr4wu0yhvZMspAI/WeK1GGTBJX5XfvWJz921CvfzIZZ/0yXafUw5BntVLWIKxhbeLmgDGgVr/yvQfgZ5IFVwl5BEzr8Zra+GcFuvNteMaaV3S3OpqfTc/b8sFL7UpX0qbYXEYHHZ9YRlwZf34CYzOVorAoFpeibHXuitEye2s/HE+x/bP1INgoSJkKkaRqXVZftgldxVNUFqTP5SYlGm1UaJyZc6osW5Di/d9v9U86OEZ4/G2PoAS8s1mH/NKQTnYuV3MRPrpPxTPs13kzAQKpDNTS+AjnmQfg7nVubbQn+RA4XXks+2wc2A+3H0ZhKu6WaXHPRyPGp3Yk3l64V3zHfdMUWHC+8ZUNwWgO59spNV5g6tihtVgDrPM+MaV8QwbugeO5es3O+WY61FpagqypsdF9/b7DBzdEdX6ZPDbqfuifZIWygYKVoHOJLa88Qv/wH54rC+rj2cOTnwdkDZA3NFEvqpIx6bhSuVvX9n1a0Palsx8zET0D4K2jNx7kh5EzDf9LMGVWY+kO9qWzOnKBm3yCSyaJgaMLnSvPwcbaKZf3R6nr9nCJPB+f9+zPJ847tSkl/XXYB9cuJfs0vPgc+VzpVJ4RGdGTdFXkxWizSEpq4PjgltwF8sPr4lAn7k0PLjt44CcgvrUknpMPw5m9+4b3NVjh97I3HC6jTIBFekilXXr9c0WC/s7/3GW2i2ruaTfGNwGYG0bxmjLobsAhgeenxHBsPwqPMFwhTEhUB/wnxlF8KQYWgqpW8ORnyq3e6KZtuIgCt1wkpTA+O2xiMQdfLiOjINoZ1UsSMb6CGWW8S62OxqzSpa0V4Hsxfwrp7eRO1uVrFFswIFsuTo7rm7cpR+RMANzbNtCzKtqJ2/fTXAvsPENwkdXnOckdlISrc6LYz5CyX9gyttHlpxB4OHbyUAvKvBRzfsXLQXhRsEIG9p95cvJEXbp93HacMaXdyUJm1aNDU3oOSlc9XapxGUgNqsiAnBsxLxbp9rBGYeiEawZI8or6t8lNl9P5wKtad4Ewn0mgCDuolsI+PgcmmnsHBgGSoN07GXgEWO343atuKnmDIdUiNJv9VHrlWDuy5WSQ7IwgC+pMK/PJ0SLma8d+Gy+72CIHwNeU+36y0ZOCUZ8u//cNBijQdu2fFViV9WDq5fd4YiLDA/bO18xoLrb5NtVQ9bDdpYuaICA4JsAVC8t/Aa43q3liHbfnwXxd0FVPe6cgfC6ccVnKi8M+FQMKvL6dsqAa2mOmSaWGUECVE/Z5WzElkL12BKZHD7NNp+qyX5GNZsHFBzXhxHArYRNKCYU6mQdj61dx3KrJuZtnME=', 'ydZqq1YhtqKCG4NjjeqNoIlJfBAgSONldmjlGLuftDCs+us7J5cx9NLfk5yat1y72M3NOcIcFW2UCvEwqit5Qg==', 'V0UW6o6hK8fIoHg027mAgerhquyDb27aKYrTh4U1scs72neC5oNo9A0Vxsh2mTUQ80uJJVQTH4ct5F0bGixtqw==', 'mzAEJafT5yxGpL8rfOe4t2Igrf9atyXT3SF3THcuGt9tD2iGhN918ZFQk84V54i6KRC+gF4eH/2gqcRVxt4P1w=='
          Source: iexplore.exe.11.dr, ToFileTimeUtc.csBase64 encoded string: 'nGkmPzup9QPT/suqCXzXd8p+N6CXtoylwVLH56TLSIhDmKvHzxbCciqmJ2fGkZ36', 'p5KZGN3BLyS03tPbahDvetnv8F426EZU1ptA0iZnCTzXvpEMxKAAu7RSCbYTrJs4', 'kSmkMwMgyTwojGjYVLQ9/m4UNBC2d1oEqLMCx18bqsCbogcZ8S7194vmqs0dbe32', 'nKugDFAAnu4KUw1dLafRGjOfRKT15LRh7pxu6CjDt6zLAN1H5Q6VR9HjUM46/xZm', 'nKzsyl0VNiKFg8zv8vJuX4FsE+zYuTdZQzxZg5stitFoLDpvibLCfmcE8lGnNYDT'
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5496:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5748:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5400:120:WilError_01
          Source: C:\Users\user\Desktop\ORDINE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: ORDINE.exeStatic file information: File size 3145728 > 1048576
          Source: ORDINE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ORDINE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: ORDINE.exe, iexplore.exe.11.dr
          Source: Binary string: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists source: ORDINE.exe, iexplore.exe.11.dr

          Data Obfuscation

          barindex
          Binary or sample is protected by dotNetProtector
          Source: ORDINE.exe, 00000000.00000000.411404596.0000000000962000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
          Source: ORDINE.exe, 00000000.00000000.411404596.0000000000962000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
          Source: ORDINE.exeString found in binary or memory: dotNetProtector
          Source: ORDINE.exeString found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
          Source: iexplore.exe.11.drString found in binary or memory: dotNetProtector
          Source: iexplore.exe.11.drString found in binary or memory: YrEscapeAsciiCharBuildNumberGet_ParamNumberRevisionNumbercolumnReaderIFormatProviderMethodBuilderModuleBuilderTypeBuilderInitCustomAttributeBuilderEventBuilderAssemblyBuilderSpecialFolderBufferResourceManagerAppDomainManagerDebuggerdnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandlerSignatureEqualityComparerget_NotAfterSyncTextWriterPositionPointerget_IsPointerBitConverterMemberMDInitializerM_hrGetTokenForFloorSetLastWin32ErrorDynamicILGenerator.ctor.cctordotNetProtectorget_IsConstructorCreateDecryptorIntPtrHasEventPtrAbsDllCharacteristicsSystem.DiagnosticsgsadshdsPreserveParamRidsFieldsGetMethodsAddDateWordsadsdsAesSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesSystem.ResourcesdebugResourcesehgIkSibci.resources_nameHashesGetDirectoriesSet_AllFilesMonthNamesPrimesS_systemTimeZonesGetSortedTypesEmptyTypesNeedFatExceptionClausesAssignAssociatesGetAssociatesMethodAttributesTypeAttributesMethodImplAttributesGetCustomAttributesM_attributesGet_MinutesRfc2898DeriveBytesGetBytesNumberOfRvaAndSizesGet_NumberGroupSizesfhfsBindingFlagsGetMethodImplementationFlagsSetImplementationFlagsjfddggsshgsEncodingsfhddsdshfddfhhsagshsGetModuleSearchPathsModifiersEqualshotHeapStreamsM_iterationsCallingConventionsCompareOptionsPushOptionsCos_writePosCurPoseventDefInfosGetTokenFixupsget_CharsInitMembersGetOptionalCustomModifiersRuntimeHelpersJitHelpersGetParametersget_IsClassAssemblyBuilderAccessSuczdvssedrtrsvfcdsdasdcessSuczdvsdsdvfctesdsdrdsasdcessSuczdvsdsdvfctesdsrdsasdcessGetCurrentProcessVirtualAddressCompressgfssReadNamedArgumentsUriComponentsExists
          .NET source code contains potential unpacker
          Source: 6.0.vbc.exe.400000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_00B7E1DD push B15446CAh; retf
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC0F24 push ds; iretd
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC0E8C push edx; ret
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC0289 push ebp; iretd
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BC02C8 push ss; iretd
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BD4C65 push es; ret
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF54A1 push edi; retf 0047h
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04BF5345 push esi; retf
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C053A3 push ebp; ret
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C05D13 pushad ; ret
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C10EC8 push ss; ret
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C118D9 push cs; iretd
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_028CE1DD push B15446CAh; retf
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05060E8C push edx; ret
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05060289 push ebp; iretd
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050602C8 push ss; iretd
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05074C65 push es; ret
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095A02 push E803D85Eh; ret
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_05095345 push esi; retf
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050954A1 push edi; retf 0047h
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050959E3 push E804CF5Eh; retf
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050A5D13 pushad ; ret
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050A53A3 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050C3194 push esi; iretd
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeCode function: 14_2_050C02D8 push es; iretd
          Source: ORDINE.exeStatic PE information: real checksum: 0x7d9b9 should be: 0x308bb9
          Source: iexplore.exe.11.drStatic PE information: real checksum: 0x7d9b9 should be: 0x308bb9
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeJump to dropped file

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ORDINE.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: ORDINE.exe, 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, iexplore.exe, 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, iexplore.exe, 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\ORDINE.exe TID: 5780Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4224Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 4224Thread sleep count: 102 > 30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 5304Thread sleep count: 9790 > 30
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe TID: 5480Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 3928Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ORDINE.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWindow / User API: threadDelayed 9790
          Source: C:\Users\user\Desktop\ORDINE.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile Volume queried: C:\ FullSizeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile Volume queried: C:\ FullSizeInformation
          Source: vbc.exe, 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
          Source: iexplore.exe, 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Users\user\Desktop\ORDINE.exeCode function: 0_2_04C1B854 CheckRemoteDebuggerPresent,
          Source: C:\Users\user\Desktop\ORDINE.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\ORDINE.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\ORDINE.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects files into Windows application
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeInjected file: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe was created by C:\Windows\SysWOW64\cmd.exe
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 40E000
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 410000
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 851008
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 340000
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 342000
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 34E000
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 350000
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 464008
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\ORDINE.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 340000 value starts with: 4D5A
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\Desktop\ORDINE.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
          Source: vbc.exe, 00000006.00000002.684777573.0000000006C5B000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000003.457645035.0000000009121000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000006.00000002.684581194.0000000006C31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: C:\Users\user\Desktop\ORDINE.exeQueries volume information: C:\Users\user\Desktop\ORDINE.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe VolumeInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformation
          Source: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exeQueries volume information: C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe VolumeInformation
          Source: C:\Users\user\Desktop\ORDINE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 6.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ORDINE.exe PID: 5760, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1164, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 2848, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: iexplore.exe PID: 4604, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          1
          Valid Accounts          		1
          Windows Management Instrumentation          		1
          Valid Accounts          		1
          Valid Accounts          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts2
          Scheduled Task/Job          		2
          Scheduled Task/Job          		1
          Access Token Manipulation          		1
          Valid Accounts          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Non-Standard Port          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)312
          Process Injection          		1
          Access Token Manipulation          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts1
          Exploitation for Client Execution          		Logon Script (Mac)2
          Scheduled Task/Job          		1
          Disable or Modify Tools          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script31
          Virtualization/Sandbox Evasion          		LSA Secrets13
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common312
          Process Injection          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items111
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 679294 Sample: ORDINE.exe Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 58 Snort IDS alert for network traffic 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 6 other signatures 2->64 7 ORDINE.exe 4 2->7         started        11 iexplore.exe 3 2->11         started        13 iexplore.exe 2 2->13         started        process3 file4 50 C:\Users\user\AppData\...\ORDINE.exe.log, ASCII 7->50 dropped 68 Writes to foreign memory regions 7->68 70 Injects a PE file into a foreign processes 7->70 72 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->72 15 cmd.exe 3 7->15         started        18 cmd.exe 2 7->18         started        21 vbc.exe 2 7->21         started        24 cmd.exe 1 7->24         started        74 Antivirus detection for dropped file 11->74 76 Machine Learning detection for dropped file 11->76 78 Injects files into Windows application 11->78 26 cmd.exe 1 11->26         started        28 cmd.exe 1 11->28         started        30 cmd.exe 2 11->30         started        32 2 other processes 11->32 signatures5 process6 dnsIp7 52 C:\Users\user\AppData\Local\...\iexplore.exe, PE32 15->52 dropped 54 C:\Users\...\iexplore.exe:Zone.Identifier, ASCII 15->54 dropped 34 conhost.exe 15->34         started        66 Uses schtasks.exe or at.exe to add and modify task schedules 18->66 36 conhost.exe 18->36         started        56 191.101.130.243, 49764, 7707 MAJESTIC-HOSTING-01US Chile 21->56 38 conhost.exe 24->38         started        40 schtasks.exe 1 24->40         started        42 conhost.exe 26->42         started        44 schtasks.exe 1 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        file8 signatures9 process10

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ORDINE.exe100%AviraTR/Dropper.Gen
          ORDINE.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe100%AviraTR/Dropper.Gen
          C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1202836Download File
          14.0.iexplore.exe.3c0000.0.unpack100%AviraHEUR/AGEN.1230579Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            191.101.130.243
            		unknownChile
            		396073MAJESTIC-HOSTING-01UStrue

            General Information

            Joe Sandbox Version:35.0.0 Citrine
            Analysis ID:679294
            Start date and time: 05/08/202214:46:132022-08-05 14:46:13 +02:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 32s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:ORDINE.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:40
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@30/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Adjust boot time
            • Enable AMSI

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
            • TCP Packets have been reduced to 100
            • Excluded IPs from analysis (whitelisted): 23.211.6.115
            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, licensing.mp.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            14:47:36Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDINE.exe.log

            Download File
            Process:C:\Users\user\Desktop\ORDINE.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):425
            Entropy (8bit):5.340009400190196
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
            MD5:CC144808DBAF00E03294347EADC8E779
            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
            Malicious:true
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iexplore.exe.log

            Download File
            Process:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):425
            Entropy (8bit):5.340009400190196
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
            MD5:CC144808DBAF00E03294347EADC8E779
            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):425
            Entropy (8bit):5.340009400190196
            Encrypted:false
            SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
            MD5:CC144808DBAF00E03294347EADC8E779
            SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
            SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
            SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

            C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe

            Download File
            Process:C:\Windows\SysWOW64\cmd.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):3145728
            Entropy (8bit):1.1807463156564255
            Encrypted:false
            SSDEEP:6144:Pnsnxlpl/4MgsaffkOiBxqwuhiowOskDnlat1JLfwyTeiB0PJo3zzn:fs3pZ4MgzffDwsbikcJpnfn
            MD5:30E619EED663B6696BA1269DEC11E1A9
            SHA1:04AD1454BB163C8E1C5820BA591AE613DD6F6D45
            SHA-256:FAADDCF1294C8358FC6CCC4C36ECDC9FCCD03AC345B3D022DB144798D611397D
            SHA-512:2C7FF7B8658137E4C1CE494B2944E41C51BE8C5D163DF07CC3B16736D3ABF591EA530D2B4B5FCA212FC96D72383A4E65BFE42491A938DC12B42E78B764439BB3
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..b............................~.... ........@.. ....................................@.................................0...K.......r............................................................................ ............... ..H............text........ ...................... ..`.rsrc...r...........................@..@.reloc...............L..............@..B................`.......H...........<.......3....4.............................................Ivan Meedev...(....*..-.*(....&*2~.....(....*..(....*.*..{....*..{....*:~.......(....*..{....*..{....*:~.......(....*6~......(....*..{....*..{....*..{....*..{....*..{....*..{....*.~....(....*.~S...(....*..{....*..{....*.~....(....*..{....*..{....*..{....*.~8...(....*..{....*6~H.....(....*6~I.....(....*..0..?............#E...v.c@#..... S@(o...Y(p...(.........#......t@#......[@(q...Y(p...($........#....

            C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe:Zone.Identifier

            Download File
            Process:C:\Windows\SysWOW64\cmd.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):1.1807463156564255
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:ORDINE.exe
            File size:3145728
            MD5:30e619eed663b6696ba1269dec11e1a9
            SHA1:04ad1454bb163c8e1c5820ba591ae613dd6f6d45
            SHA256:faaddcf1294c8358fc6ccc4c36ecdc9fccd03ac345b3d022db144798d611397d
            SHA512:2c7ff7b8658137e4c1ce494b2944e41c51be8c5d163df07cc3b16736d3abf591ea530d2b4b5fca212fc96d72383a4e65bfe42491a938dc12b42e78b764439bb3
            SSDEEP:6144:Pnsnxlpl/4MgsaffkOiBxqwuhiowOskDnlat1JLfwyTeiB0PJo3zzn:fs3pZ4MgzffDwsbikcJpnfn
            TLSH:C3E5DE3C37F13B61EC9DC831468165246BEA0FA7DEA186D1D3EA19C7930D8F52D44A8B
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ..b............................~.... ........@.. ....................................@................................

            File Icon

            Icon Hash:74f4d8cccaccdce4

            Static PE Info

            General

            Entrypoint:0x44a87e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x62ECB720 [Fri Aug 5 06:22:24 2022 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x4a8300x4b.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x4c0000x2bf72.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x488840x48a00False0.42609052280550774data5.630156495500773IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x4c0000x2bf720x2c000False0.217041015625data4.522066472641785IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x780000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x4c2c40x3b4bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
            RT_ICON0x4fe100x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
            RT_ICON0x606380x94a8data
            RT_ICON0x69ae00x5488data
            RT_ICON0x6ef680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 49407, next used block 4294902528
            RT_ICON0x731900x25a8data
            RT_ICON0x757380x10a8data
            RT_ICON0x767e00x988data
            RT_ICON0x771680x468GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x775d00x84data
            RT_VERSION0x776540x1f8dataEnglishUnited States
            RT_MANIFEST0x7784c0x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            191.101.130.243192.168.2.57707497642035595 08/05/22-14:47:38.477674TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert770749764191.101.130.243192.168.2.5
            191.101.130.243192.168.2.57707497642030673 08/05/22-14:47:38.477674TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)770749764191.101.130.243192.168.2.5

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Aug 5, 2022 14:47:38.127145052 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.269309998 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.269445896 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.318298101 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.477674007 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.477732897 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.477982998 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.487781048 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:38.640578032 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:38.751085043 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:40.419425011 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:40.615670919 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:40.618067026 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:40.809494972 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:50.430208921 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:50.623672009 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:50.623825073 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:50.766381025 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:50.970876932 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:51.112742901 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:51.252288103 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:51.692173004 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:51.884382963 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:47:51.884573936 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:47:52.077028036 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:00.474582911 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:00.666841030 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:00.667256117 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:00.810467958 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:00.956156969 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:01.098112106 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:01.102432966 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:01.294476986 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:01.295002937 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:01.487618923 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:06.666898012 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:06.753413916 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:06.895541906 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:06.956677914 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:10.521596909 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:10.714154959 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:10.714251041 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:10.857007980 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:10.960084915 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:11.105015039 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:11.109167099 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:11.300544977 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:11.300617933 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:11.492717028 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:20.573885918 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:20.766634941 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:20.766736031 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:20.909015894 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:20.957745075 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:21.099809885 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:21.107994080 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:21.299247980 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:21.299333096 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:21.491667986 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:30.627182961 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:30.819617033 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:30.824776888 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.017733097 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.100992918 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.144403934 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.286057949 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.294070005 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.486768007 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:31.489630938 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:31.681834936 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:36.670231104 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:36.858855009 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:36.996824026 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:37.014642954 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:37.014746904 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:40.674314976 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:40.865524054 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:40.865680933 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.007802010 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:41.156017065 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.297467947 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:41.303443909 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.495160103 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:41.495237112 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:41.687614918 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:50.721977949 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:50.913625956 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:50.913796902 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.106523037 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.119471073 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.360080004 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.501856089 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.512048006 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.704071045 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:48:51.705694914 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:48:51.899034023 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:00.770054102 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:00.962053061 CEST770749764191.101.130.243192.168.2.5
            Aug 5, 2022 14:49:00.964544058 CEST497647707192.168.2.5191.101.130.243
            Aug 5, 2022 14:49:01.107496977 CEST770749764191.101.130.243192.168.2.5

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:14:47:18
            Start date:05/08/2022
            Path:C:\Users\user\Desktop\ORDINE.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\ORDINE.exe"
            Imagebase:0x960000
            File size:3145728 bytes
            MD5 hash:30E619EED663B6696BA1269DEC11E1A9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.454482675.0000000002A86000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:low

            General

            Target ID:6
            Start time:14:47:30
            Start date:05/08/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Imagebase:0xd90000
            File size:2688096 bytes
            MD5 hash:B3A917344F5610BEEC562556F11300FA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.681364140.00000000051A3000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000000.438076644.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000006.00000002.683833759.0000000006BD4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:moderate

            General

            Target ID:7
            Start time:14:47:32
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:8
            Start time:14:47:33
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:9
            Start time:14:47:33
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:10
            Start time:14:47:34
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:11
            Start time:14:47:34
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c copy "C:\Users\user\Desktop\ORDINE.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:12
            Start time:14:47:34
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x320000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:13
            Start time:14:47:35
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:14
            Start time:14:47:36
            Start date:05/08/2022
            Path:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x3c0000
            File size:3145728 bytes
            MD5 hash:30E619EED663B6696BA1269DEC11E1A9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000E.00000002.522558294.0000000002AD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            Reputation:low

            General

            Target ID:20
            Start time:14:48:00
            Start date:05/08/2022
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            Imagebase:0xd90000
            File size:2688096 bytes
            MD5 hash:B3A917344F5610BEEC562556F11300FA
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.534970060.0000000008E76000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000014.00000002.527812189.00000000069C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:moderate

            General

            Target ID:21
            Start time:14:48:02
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c mkdir "C:\Users\user\AppData\Local\Temp\iexplore
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            General

            Target ID:22
            Start time:14:48:03
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:23
            Start time:14:48:03
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:24
            Start time:14:48:04
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:25
            Start time:14:48:04
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:cmd" /c copy "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe" "C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x1100000
            File size:232960 bytes
            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:26
            Start time:14:48:05
            Start date:05/08/2022
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe'" /f
            Imagebase:0x320000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:27
            Start time:14:48:05
            Start date:05/08/2022
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff77f440000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language

            General

            Target ID:34
            Start time:14:48:34
            Start date:05/08/2022
            Path:C:\Windows\System32\BackgroundTransferHost.exe
            Wow64 process (32bit):false
            Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
            Imagebase:0x7ff6e0560000
            File size:36864 bytes
            MD5 hash:02BA81746B929ECC9DB6665589B68335
            Has elevated privileges:true
            Has administrator privileges:false
            Programmed in:C, C++ or other language

            General

            Target ID:38
            Start time:14:49:01
            Start date:05/08/2022
            Path:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Wow64 process (32bit):true
            Commandline:C:\Users\user\AppData\Local\Temp\iexplore\iexplore.exe
            Imagebase:0x3c0000
            File size:3145728 bytes
            MD5 hash:30E619EED663B6696BA1269DEC11E1A9
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000026.00000002.692124542.00000000035F2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen

            Disassembly

            No disassembly