analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

FW RFQ.doc

Full analysis: https://app.any.run/tasks/70139707-f866-4494-92d3-0e28ad9a4cc8
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: January 22, 2019, 13:15:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
trojan
rat
azorult
opendir
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

837170A5B5D85B20D3E4C01228F5D74B

SHA1:

578E3AC7888126144E4E6080CEC0981D3281F664

SHA256:

09BC978EBDC88D4F2CD380F14A33D8181F99F5D42DFDA3D4E48CCE6447A6E8F9

SSDEEP:

24576:wfdvUZaOtZTmZhm4L1LNDHGNEzUFLoHLim7GKELfL8fnIC:u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 2960)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2960)
    • Runs app for hidden code execution

      • cmd.exe (PID: 2472)
      • cmd.exe (PID: 3844)
    • Application was dropped or rewritten from another process

      • saver.scr (PID: 2952)
      • Saver.SCR (PID: 2660)
    • Actions looks like stealing of personal data

      • Saver.SCR (PID: 2660)
    • Loads dropped or rewritten executable

      • Saver.SCR (PID: 2660)
    • Connects to CnC server

      • Saver.SCR (PID: 2660)
    • AZORULT was detected

      • Saver.SCR (PID: 2660)
  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 2472)
      • cmd.exe (PID: 2504)
      • saver.scr (PID: 2952)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2472)
      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 2260)
      • cmd.exe (PID: 2504)
      • Saver.SCR (PID: 2660)
    • Executes scripts

      • cmd.exe (PID: 2504)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 2504)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 3004)
      • cmd.exe (PID: 2912)
      • cmd.exe (PID: 4020)
      • cmd.exe (PID: 2952)
      • cmd.exe (PID: 3920)
      • cmd.exe (PID: 2504)
    • Executable content was dropped or overwritten

      • cscript.exe (PID: 4072)
      • Saver.SCR (PID: 2660)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2504)
      • saver.scr (PID: 2952)
    • Creates files in the user directory

      • Saver.SCR (PID: 2660)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2960)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
40
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cscript.exe taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs saver.scr no specs cscript.exe no specs #AZORULT saver.scr cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\FW RFQ.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.6024.1000
3844"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2260CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2504C:\Windows\system32\cmd.exe /K itnqknf5.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3048TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3944TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2472"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2560TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3268TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 545
Read events
1 495
Write events
0
Delete events
0

Modification events

No data
Executable files
49
Suspicious files
3
Text files
14
Unknown types
4

Dropped files

PID
Process
Filename
Type
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE989.tmp.cvr
MD5:
SHA256:
2960WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:562FE999368B94AB908D9AA32036F8F0
SHA256:D8AA20CC6D16C82CDE094ECFFA046902F9E2298F557272AA4FD9DAB504034E3C
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\a.ScTxml
MD5:B079D52F89759AB61A9B7EFA9367CA17
SHA256:A9EEF1BEA82EBAF0F71E356D77EC980FA087F56F6C665C58011BCB6FA98E4501
2960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B900DC0F-29C7-4B94-B7A7-EE6B10D23361}.tmpbinary
MD5:B279EC8A2A9EE283EC9C2D7615DD8B6F
SHA256:AC50F03038E66605BEC5E04C50051C01F7F028CAA0DF4D680BDFBBA6013B108C
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uffm.cmdtext
MD5:D262EFBD41B7F25E9D0B88BDBC4FD817
SHA256:CD22927DEA8C9B3C9CFBC9F4EF85AC677ADB8CB4C353CBC2CC47034C1BEF5159
2504cmd.exeC:\Users\admin\AppData\Local\Temp\_.vbstext
MD5:778643D184339788FEAD87C5043A6BEA
SHA256:FFEDB6EF220F09EC30ECAD07D897C14F59591A2F05D160308C11FC763AFF6060
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\itn.zipcompressed
MD5:F4185C857A7618F0AA0A8F3123372F72
SHA256:76CD5F851623F3EDF77B3803D6B3BB90A5970E78329E2DE6B08673DCD4D91C3D
2960WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AB4DA00B-9C52-4DBA-B848-F02DCD865EE8}.tmpbinary
MD5:DC4A0BE68F137F2632D47422369EA42B
SHA256:5F35DE9F499BD393324B08C9E30687317003D0F2706067DD516D86C936571117
2960WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ RFQ.doc.rtfpgc
MD5:92D24E75D1740C8D64A164FF7910D8DB
SHA256:2D2CF5BD616DAE5CDC8FE7F0150B86FC1AC1C42EB834FA9E07ADFF5570B64B31
4072cscript.exeC:\Users\admin\AppData\Local\Temp\gondi.doctext
MD5:3790051BC2F564F6337614417202E89E
SHA256:A3C8998B02922559F2BBA9BA6E6F8C4C356AD7232370D430EDB1F63C74402172
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2660
Saver.SCR
POST
200
87.76.31.198:80
http://www.autofficinaviola.it/wp_content/file/log/js/html/css/index.php
GB
binary
4.27 Mb
malicious
2660
Saver.SCR
POST
200
87.76.31.198:80
http://www.autofficinaviola.it/wp_content/file/log/js/html/css/index.php
GB
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2660
Saver.SCR
87.76.31.198:80
www.autofficinaviola.it
4D Data Centres Ltd
GB
malicious

DNS requests

Domain
IP
Reputation
www.autofficinaviola.it
  • 87.76.31.198
malicious

Threats

PID
Process
Class
Message
2660
Saver.SCR
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
2660
Saver.SCR
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
2660
Saver.SCR
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
2660
Saver.SCR
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
2660
Saver.SCR
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
2 ETPRO signatures available at the full report
No debug info