File name: | pps.ps1 |
Full analysis: | https://app.any.run/tasks/e5fc3ae1-6b8a-4cf2-8d5e-627280b68519 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | April 25, 2019, 03:59:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | B70D1219C313005D77EA18E7BA2CED78 |
SHA1: | 8B8E6DAAF73064998BC38416B5E077935D1C0B4B |
SHA256: | 02ECE3EA4E5A86F0A2E11DBCEC0303E3589ABA7B93C606AEF9D470BBACDBC883 |
SSDEEP: | 6144:wJsMk0AjcoGqObripEbb1ZUxtWo9eDmxwIccuCFWwML8Vf9oAA9kKv3kqUaGzTLN:wJsMkYok9bxpo9eix9RpV1oAAywWnZ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3864 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\pps.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1424 | "C:\Users\Public\tklw.exe" | C:\Users\Public\tklw.exe | powershell.exe | |
User: admin Company: lanch Integrity Level: MEDIUM Description: exosculation Exit code: 0 Version: 3.3.7.1 | ||||
2908 | "C:\Users\Public\tklw.exe" | C:\Users\Public\tklw.exe | tklw.exe | |
User: admin Company: lanch Integrity Level: MEDIUM Description: exosculation Exit code: 0 Version: 3.3.7.1 | ||||
2812 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "tklw.exe" | C:\Windows\system32\cmd.exe | — | tklw.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3364 | C:\Windows\system32\timeout.exe 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XYVZG2GV0DX4QZMNLCDG.temp | — | |
MD5:— | SHA256:— | |||
3864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF112e31.TMP | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
3864 | powershell.exe | C:\Users\Public\tklw.exe | executable | |
MD5:1644E2515EA9FF1242FEF5FC2EBDFC83 | SHA256:9345E4CCD69A58F46CA8DE541AEA95CD976B578D141DC1EFF58AB949D047E1DB | |||
3864 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF | SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5 | |||
2908 | tklw.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-namedpipe-l1-1-0.dll | executable | |
MD5:6F6796D1278670CCE6E2D85199623E27 | SHA256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507 | |||
2908 | tklw.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-localization-l1-2-0.dll | executable | |
MD5:EFF11130BFE0D9C90C0026BF2FB219AE | SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97 | |||
2908 | tklw.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 | |||
2908 | tklw.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:88FF191FD8648099592ED28EE6C442A5 | SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D | |||
2908 | tklw.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E479444BDD4AE4577FD32314A68F5D28 | SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719 | |||
2908 | tklw.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-interlocked-l1-1-0.dll | executable | |
MD5:D97A1CB141C6806F0101A5ED2673A63D | SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2908 | tklw.exe | POST | 200 | 193.124.206.108:80 | http://hfdfdhfgh.ru/index.php | RU | binary | 4.27 Mb | malicious |
2908 | tklw.exe | POST | 200 | 193.124.206.108:80 | http://hfdfdhfgh.ru/index.php | RU | text | 2 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2908 | tklw.exe | 193.124.206.108:80 | hfdfdhfgh.ru | Domain names registrar REG.RU, Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
hfdfdhfgh.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2908 | tklw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2908 | tklw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
2908 | tklw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Response |
2908 | tklw.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
2908 | tklw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2908 | tklw.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
Process | Message |
---|---|
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |
tklw.exe | User32.dll |