analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Install.exe

Full analysis: https://app.any.run/tasks/483a2ec1-4073-43f8-b073-020cb40ab31c
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: January 18, 2020, 10:50:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
azorult
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable, MZ for MS-DOS
MD5:

D95B56E77916AA7BA0B0178BFB1A0A4C

SHA1:

AFD674D1D49E7979509D522546E6C754430EE6CA

SHA256:

15C98DD9E1BAFCFB725567E961AC7803FDC21C23FE7D5A6C93B32987542E6B78

SSDEEP:

98304:vVRz9OeGI1upf9Fg66c9DpPZC0uv53yXEiArPNpFbfsY:b0e916Dg6hhpQeyTNbfs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • dllhost.exe (PID: 784)
    • AZORULT was detected

      • dllhost.exe (PID: 784)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Install.exe (PID: 1404)
    • Starts CMD.EXE for self-deleting

      • Install.exe (PID: 1404)
    • Adds / modifies Windows certificates

      • dllhost.exe (PID: 784)
    • Creates files in the user directory

      • dllhost.exe (PID: 784)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:23 19:02:24+01:00
PEType: PE32
LinkerVersion: 12
CodeSize: 581120
InitializedDataSize: 719360
UninitializedDataSize: -
EntryPoint: 0x958431
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.4.1.9
ProductVersionNumber: 1.4.1.9
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
Comments: goUmaMmtWG969mCDERGFvKIl5XFeFVXGFxCxsGQ3Ltx69iFSEdp8Mk4ttd3K4C3NdTpo99N17xZVYndRP229FafwP
CompanyName: Microsoft ® VC WinRT core library
FileDescription: MFC Language Specific Resources
FileVersion: 1.4.1.9
InternalName: wextract.exe
LegalCopyright: (C) rmnviC8WSI64zd4TUcrlxqv8iWCzAdVe8PNK5bUVr1KNp8vTopBXPd26wv4Fl Technology Co. Ltd., All rights reserved.
OriginalFileName: wextract.exe
ProductVersion: 1.4.1.9

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-Dec-2019 18:02:24
Detected languages:
  • English - United Kingdom
  • English - United States
Comments: goUmaMmtWG969mCDERGFvKIl5XFeFVXGFxCxsGQ3Ltx69iFSEdp8Mk4ttd3K4C3NdTpo99N17xZVYndRP229FafwP
CompanyName: Microsoft ® VC WinRT core library
FileDescription: MFC Language Specific Resources
FileVersion: 1.4.1.9
InternalName: wextract.exe
LegalCopyright: (C) rmnviC8WSI64zd4TUcrlxqv8iWCzAdVe8PNK5bUVr1KNp8vTopBXPd26wv4Fl Technology Co. Ltd., All rights reserved.
OriginalFilename: wextract.exe
ProductVersion: 1.4.1.9

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0040
Pages in file: 0x0001
Relocations: 0x0000
Size of header: 0x0002
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0xB400
OEM information: 0xCD09
Address of NE header: 0x00000040

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 23-Dec-2019 18:02:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.MPRESS1
0x00001000
0x00957000
0x00407200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9575
.MPRESS2\xe0\x06
0x00958000
0x000006E0
0x00000800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.13395
.rsrc
0x00959000
0x00023300
0x00023400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
6.0211

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.40026
1007
UNKNOWN
English - United States
RT_MANIFEST
2
4.74524
67624
UNKNOWN
English - United Kingdom
RT_ICON
3
4.90179
16936
UNKNOWN
English - United Kingdom
RT_ICON
4
4.85243
9640
UNKNOWN
English - United Kingdom
RT_ICON
5
5.11811
4264
UNKNOWN
English - United Kingdom
RT_ICON
6
5.32745
2440
UNKNOWN
English - United Kingdom
RT_ICON
7
5.34223
1128
UNKNOWN
English - United Kingdom
RT_ICON
99
2.91902
104
UNKNOWN
English - United Kingdom
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.DLL
MPR.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start install.exe no specs #AZORULT dllhost.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1404"C:\Users\admin\AppData\Local\Temp\Install.exe" C:\Users\admin\AppData\Local\Temp\Install.exeexplorer.exe
User:
admin
Company:
Microsoft ® VC WinRT core library
Integrity Level:
MEDIUM
Description:
MFC Language Specific Resources
Exit code:
0
Version:
1.4.1.9
784"C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe
Install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3388"C:\Windows\System32\cmd.exe" /c TimeOut 1 & Del /F "C:\Users\admin\AppData\Local\Temp\Install.exe"C:\Windows\System32\cmd.exeInstall.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1584TimeOut 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
154
Read events
114
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
784dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@mywps[1].txttext
MD5:F1D3C110F9E132CAE9D8AF0120A9EF94
SHA256:87064D09D66EE9F4BF0B11825A058F343324FA5E64145C1BEC021025E406F76B
784dllhost.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.datdat
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862
SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
784
dllhost.exe
POST
400
104.18.56.40:443
http://fyvittyo.mywps.me:443/AXXaMV/neindexslog2.php
US
html
655 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.18.57.40:443
fyvittyo.mywps.me
Cloudflare Inc
US
unknown
104.18.56.40:443
fyvittyo.mywps.me
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
fyvittyo.mywps.me
  • 104.18.57.40
  • 104.18.56.40
suspicious

Threats

PID
Process
Class
Message
784
dllhost.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult
784
dllhost.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
No debug info