File name: | RUSThack.exe |
Full analysis: | https://app.any.run/tasks/441e5cc5-ee13-4e90-9975-341d73d15d73 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | July 11, 2019, 14:56:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | DF8F312CB227E8E1D5755287B8EB1BE2 |
SHA1: | 2CCE3F096A8E67ED540FA50E1C0A386D8A108FC7 |
SHA256: | 0AD546E71C49D794B736D167406FE491FFBC3399662AD69D992FAEE025D44215 |
SSDEEP: | 3072:i9H75pIgpTj4t8hL9OZ1DnP7NH+EX5epWlouzT9ciMlpQDc1T+Oy/NVkjC2r4GVx:87QaGrT9dKaT9vmpdKVVVkXx |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
---|---|---|
.exe | | | Win64 Executable (generic) (23.8) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
.exe | | | Generic Win/DOS Executable (1.7) |
ProductVersion: | 4.18.1807.18075 |
---|---|
ProductName: | Microsoft® Windows® Operating System |
OriginalFileName: | MsMpEng.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | MsMpEng.exe |
FileVersion: | 4.18.1807.18075 (GitEnlistment(winpbld).180719-0853) |
FileDescription: | Antimalware Service Executable |
CompanyName: | Microsoft Corporation |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | Private build |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 4.18.1807.18075 |
FileVersionNumber: | 4.18.1807.18075 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x2ee0e |
UninitializedDataSize: | - |
InitializedDataSize: | 11776 |
CodeSize: | 184320 |
LinkerVersion: | 8 |
PEType: | PE32 |
TimeStamp: | 2019:06:23 19:35:52+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 23-Jun-2019 17:35:52 |
Detected languages: |
|
CompanyName: | Microsoft Corporation |
FileDescription: | Antimalware Service Executable |
FileVersion: | 4.18.1807.18075 (GitEnlistment(winpbld).180719-0853) |
InternalName: | MsMpEng.exe |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
OriginalFilename: | MsMpEng.exe |
ProductName: | Microsoft® Windows® Operating System |
ProductVersion: | 4.18.1807.18075 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 23-Jun-2019 17:35:52 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x0002CE14 | 0x0002D000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.74793 |
.rsrc | 0x00030000 | 0x00002A5C | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.43476 |
.reloc | 0x00034000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.57584 | 964 | Latin 1 / Western European | UNKNOWN | RT_VERSION |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3016 | "C:\Users\admin\AppData\Local\Temp\RUSThack.exe" | C:\Users\admin\AppData\Local\Temp\RUSThack.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Antimalware Service Executable Exit code: 0 Version: 4.18.1807.18075 (GitEnlistment(winpbld).180719-0853) | ||||
1096 | "cmd.exe" | C:\Windows\system32\cmd.exe | RUSThack.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3120 | reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3632 | "C:\Users\admin\AppData\Local\Temp\svhost.exe" | C:\Users\admin\AppData\Local\Temp\svhost.exe | RUSThack.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 9.0.30729.5420 |
(PID) Process: | (3120) reg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows |
Operation: | write | Name: | Load |
Value: C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnk | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3632) svhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3016 | RUSThack.exe | C:\Users\admin\AppData\Local\Temp\svhost.exe | executable | |
MD5:32827E69B293B99013BBBE37D029245D | SHA256:9250B89157770E3AB59A2C7E2DD6B12B3C61D9B7C6620C3B4727E4BFFF10F01F | |||
1096 | cmd.exe | C:\Users\admin\AppData\Local\Temp\FolderN\name.exe | executable | |
MD5:DF8F312CB227E8E1D5755287B8EB1BE2 | SHA256:0AD546E71C49D794B736D167406FE491FFBC3399662AD69D992FAEE025D44215 | |||
3632 | svhost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
3632 | svhost.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt | text | |
MD5:1A35B008367EB05174001ADE3E1EA8A0 | SHA256:C9F0D8F1455D95F0D1E4885090FDD41C1A3C2445E0CDC8810E193BCE1AE38A7F | |||
1096 | cmd.exe | C:\Users\admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier | text | |
MD5:130A75A932A2FE57BFEA6A65B88DA8F6 | SHA256:F2B79CAE559D6772AFC1C2ED9468988178F8B6833D5028A15DEA73CE47D0196E | |||
3016 | RUSThack.exe | C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnk | lnk | |
MD5:B7F2CFEC6823A438DBA7530A8F4AE648 | SHA256:612F6D646DAAA368D40443AB894042EBB8B93AC485658E78682731BAD9AB52CC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3632 | svhost.exe | POST | 200 | 92.119.113.254:80 | http://zzzmen99.had.su/index.php | unknown | text | 7 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3632 | svhost.exe | 92.119.113.254:80 | zzzmen99.had.su | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
zzzmen99.had.su |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query for .su TLD (Soviet Union) Often Malware Related |
3632 | svhost.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
3632 | svhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
3632 | svhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
3632 | svhost.exe | Potentially Bad Traffic | ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related |