File name: | 7.rar |
Full analysis: | https://app.any.run/tasks/fcf427ef-a7f3-4e51-b938-72dfbd0c89cc |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | May 14, 2019, 20:31:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | DE7F01D38965A810A07A5DF1298748ED |
SHA1: | 2D07F1795AC31F25730B31D96FDDE155AB05C82C |
SHA256: | 04447A59CD74F75D6E61BD627F0121B177BB234CAF65AA6E0D2525AFFB02E57B |
SSDEEP: | 49152:EGVRRbeuHnMa6vYz4vWN2toGZRLbYRmCPnQC5bVzGLZ:/VRRbeMnHRstoQu9PQCNwLZ |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3344 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\7.rar" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3588 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4072 | "C:\Users\admin\Desktop\TrafficBot64 [Cracked By MarkVoid].exe" | C:\Users\admin\Desktop\TrafficBot64 [Cracked By MarkVoid].exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 | ||||
3752 | schtasks /create /f /sc minute /mo 1 /tn "'TrafficBot64 [Cracked By MarkVoid]'" /tr "'C:\Users\admin\AppData\Roaming\trafbot.exe'" | C:\Windows\system32\schtasks.exe | — | TrafficBot64 [Cracked By MarkVoid].exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3952 | "C:\Users\admin\AppData\Roaming\trafbot.exe" | C:\Users\admin\AppData\Roaming\trafbot.exe | TrafficBot64 [Cracked By MarkVoid].exe | |
User: admin Integrity Level: HIGH Description: Version: 0.0.0.0 | ||||
3632 | "C:\Users\admin\AppData\Roaming\trafbot.exe" | C:\Users\admin\AppData\Roaming\trafbot.exe | trafbot.exe | |
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 | ||||
2988 | netstat -nb | C:\Windows\system32\NETSTAT.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2552 | netstat -nb | C:\Windows\system32\NETSTAT.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3088 | netstat -nb | C:\Windows\system32\NETSTAT.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3024 | C:\Users\admin\AppData\Roaming\trafbot.exe | C:\Users\admin\AppData\Roaming\trafbot.exe | taskeng.exe | |
User: admin Integrity Level: MEDIUM Description: Version: 0.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3344 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3344.40337\TrafficBot64 [Cracked By MarkVoid].exe | — | |
MD5:— | SHA256:— | |||
3344 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3344.40337\TrafficBot [Cracked By MarkVoid].exe | — | |
MD5:— | SHA256:— | |||
3344 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3344.40337\putty.exe | — | |
MD5:— | SHA256:— | |||
3344 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3344.40337\dengine.exe | — | |
MD5:— | SHA256:— | |||
4072 | TrafficBot64 [Cracked By MarkVoid].exe | C:\Users\admin\AppData\Local\Temp\TrafficBot64 [Cracked By MarkVoid].exe | executable | |
MD5:5DF5E82DAF6A952F6E681F98BB0CFA82 | SHA256:67F3D37FDD647502E42741EFDD11D31C287247DE7BE94EDD4D9A77A2480A3776 | |||
3952 | trafbot.exe | C:\Users\admin\AppData\Local\Temp\TrafficBot64 [Cracked By MarkVoid].exe | executable | |
MD5:5DF5E82DAF6A952F6E681F98BB0CFA82 | SHA256:67F3D37FDD647502E42741EFDD11D31C287247DE7BE94EDD4D9A77A2480A3776 | |||
4072 | TrafficBot64 [Cracked By MarkVoid].exe | C:\Users\admin\AppData\Roaming\trafbot.exe | executable | |
MD5:026086E0CD74C34B7B84A6B282C20BB4 | SHA256:2288E132BFD2F4722298470251107124B63999F0D24565D830863DE61C77A335 | |||
3632 | trafbot.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 | |||
3632 | trafbot.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:6DB54065B33861967B491DD1C8FD8595 | SHA256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5 | |||
3632 | trafbot.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:E2F648AE40D234A3892E1455B4DBBE05 | SHA256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3632 | trafbot.exe | POST | 200 | 82.146.59.125:80 | http://graphicex.ru/index.php | RU | text | 5 b | malicious |
3632 | trafbot.exe | POST | 200 | 82.146.59.125:80 | http://graphicex.ru/index.php | RU | txt | 4.27 Mb | malicious |
2956 | trafbot.exe | POST | 200 | 82.146.59.125:80 | http://graphicex.ru/index.php | RU | txt | 4.27 Mb | malicious |
2956 | trafbot.exe | POST | 200 | 82.146.59.125:80 | http://graphicex.ru/index.php | RU | text | 5 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3632 | trafbot.exe | 82.146.59.125:80 | graphicex.ru | JSC ISPsystem | RU | malicious |
2956 | trafbot.exe | 82.146.59.125:80 | graphicex.ru | JSC ISPsystem | RU | malicious |
Domain | IP | Reputation |
---|---|---|
graphicex.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3632 | trafbot.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
3632 | trafbot.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
3632 | trafbot.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
3632 | trafbot.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
3632 | trafbot.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
2956 | trafbot.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2956 | trafbot.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2956 | trafbot.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2956 | trafbot.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2956 | trafbot.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |