File name: | ALL FILES 00001.zip |
Full analysis: | https://app.any.run/tasks/e494413a-5b45-4b89-a05d-8c84bfca2a31 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | February 10, 2019, 16:20:34 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | EDA5D1F5A507A85FBA6D34BD835E9D5C |
SHA1: | D64093833CE6596FC75EA88FECFC4E622EBE332B |
SHA256: | 0ACFD55E26F4419F32E0BA35B33F42E235D7961D875E3B202030E98CB2D2E8F5 |
SSDEEP: | 49152:FGyjJVa49pjcH+YW38tEPk/MMYEZnDnUmePttirIXQBh99:FGyntc2cik/vYEZnDnUmuXQd9 |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | ALL.FILES00001.js |
---|---|
ZipUncompressedSize: | 3316146 |
ZipCompressedSize: | 2083386 |
ZipCRC: | 0x41f39fef |
ZipModifyDate: | 2019:02:09 22:04:21 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3516 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ALL FILES 00001.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2164 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3516.15836\ALL.FILES00001.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3644 | "C:\Users\admin\AppData\Local\Temp\eScfbGVynncWo.exe" | C:\Users\admin\AppData\Local\Temp\eScfbGVynncWo.exe | WScript.exe | |
User: admin Company: ammi2 Integrity Level: MEDIUM Description: wheelerdealer7 Exit code: 0 Version: 1.06.0006 | ||||
3308 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs" | C:\Windows\System32\WScript.exe | eScfbGVynncWo.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3500 | "C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe" | C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe | — | eScfbGVynncWo.exe |
User: admin Company: ammi2 Integrity Level: MEDIUM Description: wheelerdealer7 Exit code: 0 Version: 1.06.0006 | ||||
3588 | C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe" | C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe | filename.exe | |
User: admin Company: ammi2 Integrity Level: MEDIUM Description: wheelerdealer7 Exit code: 0 Version: 1.06.0006 | ||||
3180 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "filename.exe" | C:\Windows\system32\cmd.exe | — | filename.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
4008 | C:\Windows\system32\timeout.exe 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\ALL FILES 00001.zip | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | @C:\Windows\System32\wshext.dll,-4804 |
Value: JScript Script File | |||
(PID) Process: | (3516) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3644 | eScfbGVynncWo.exe | C:\Users\admin\AppData\Local\Temp\~DF79D10BC1AC5D8F57.TMP | binary | |
MD5:4C03E16323B57D876A20E682CB00E0C3 | SHA256:91D5D2673A9F668F6258E4ED6218FBEC2F08C15C8A5365B1964EA89204B4A986 | |||
3516 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3516.15836\ALL.FILES00001.js | text | |
MD5:3A0D3C700C1D5A39834476F8B6A4F178 | SHA256:C4F54D134679D74608BEE404C945D1FB0A2BE87F084F21D7F0F7861F92E6DA0D | |||
3500 | filename.exe | C:\Users\admin\AppData\Local\Temp\~DF112BE546E6F2790D.TMP | binary | |
MD5:4C03E16323B57D876A20E682CB00E0C3 | SHA256:91D5D2673A9F668F6258E4ED6218FBEC2F08C15C8A5365B1964EA89204B4A986 | |||
3644 | eScfbGVynncWo.exe | C:\Users\admin\AppData\Local\Temp\subfolder\filename.vbs | text | |
MD5:50818BE514AA614777A2535555ACF81C | SHA256:A37D7864806BE12322A04D93122FCEA1CCCFA20BB86476D9BF57C706EDCC87BC | |||
2164 | WScript.exe | C:\Users\admin\AppData\Local\Temp\eScfbGVynncWo.exe | executable | |
MD5:F96CE24DD508E2C12B9B2A6E6626613B | SHA256:0D5AC890C9882D82D5F28EECF1F89BEC12012E184CC8F790F89F88E27AF7C506 | |||
3644 | eScfbGVynncWo.exe | C:\Users\admin\AppData\Local\Temp\subfolder\filename.exe | executable | |
MD5:F96CE24DD508E2C12B9B2A6E6626613B | SHA256:0D5AC890C9882D82D5F28EECF1F89BEC12012E184CC8F790F89F88E27AF7C506 | |||
3588 | filename.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll | executable | |
MD5:6F6796D1278670CCE6E2D85199623E27 | SHA256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507 | |||
3588 | filename.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll | executable | |
MD5:D0873E21721D04E20B6FFB038ACCF2F1 | SHA256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE | |||
3588 | filename.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E479444BDD4AE4577FD32314A68F5D28 | SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719 | |||
3588 | filename.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll | executable | |
MD5:D97A1CB141C6806F0101A5ED2673A63D | SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3588 | filename.exe | POST | 200 | 162.244.92.133:80 | http://k-antivirus.com/index.php | US | txt | 4.27 Mb | malicious |
3588 | filename.exe | POST | 200 | 162.244.92.133:80 | http://k-antivirus.com/index.php | US | text | 5 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3588 | filename.exe | 162.244.92.133:80 | k-antivirus.com | FranTech Solutions | US | malicious |
Domain | IP | Reputation |
---|---|---|
k-antivirus.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3588 | filename.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
3588 | filename.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
3588 | filename.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
3588 | filename.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
3588 | filename.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
3588 | filename.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |