URL: | https://anonfile.com/feQ29cb4oc/Netflix_by_M1st_rar |
Full analysis: | https://app.any.run/tasks/0d76622d-94d2-414a-8cbd-0d8bf953dee5 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | February 21, 2020, 18:12:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 6619EFBF0F2B9DDBFEE3CB7341EC4717 |
SHA1: | 1810553F45C65FF5D844AB42D13413E9737CD89B |
SHA256: | 338E0A60391276D9F59C908F543CB16E81C6C0ED0D6385665F1258F0BD8F08A3 |
SSDEEP: | 3:N8RGUpwF96oU9UX:2gseAO |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3376 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://anonfile.com/feQ29cb4oc/Netflix_by_M1st_rar" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
1888 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://anonfile.com/feQ29cb4oc/Netflix_by_M1st_rar | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
3164 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1888.0.1341437325\876402343" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1888 "\\.\pipe\gecko-crash-server-pipe.1888" 1200 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
376 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1888.3.702834255\710548357" -childID 1 -isForBrowser -prefsHandle 1724 -prefMapHandle 1708 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1888 "\\.\pipe\gecko-crash-server-pipe.1888" 1780 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
816 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1888.13.591221846\370028539" -childID 2 -isForBrowser -prefsHandle 2764 -prefMapHandle 2768 -prefsLen 5997 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1888 "\\.\pipe\gecko-crash-server-pipe.1888" 2780 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
4032 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1888.20.2098800617\356860712" -childID 3 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 7301 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1888 "\\.\pipe\gecko-crash-server-pipe.1888" 3896 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
772 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1888.27.1754522174\186099963" -childID 4 -isForBrowser -prefsHandle 3528 -prefMapHandle 3460 -prefsLen 8186 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 1888 "\\.\pipe\gecko-crash-server-pipe.1888" 3188 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
2632 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Netflix by M1st.rar" | C:\Program Files\WinRAR\WinRAR.exe | firefox.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1792 | "C:\Users\admin\Desktop\Netflix by M1st.exe" | C:\Users\admin\Desktop\Netflix by M1st.exe | — | explorer.exe |
User: admin Company: Company Integrity Level: MEDIUM Description: NewProduct 1.00 Installation Exit code: 3221226540 Version: 1.00 | ||||
1812 | "C:\Users\admin\Desktop\Netflix by M1st.exe" | C:\Users\admin\Desktop\Netflix by M1st.exe | explorer.exe | |
User: admin Company: Company Integrity Level: HIGH Description: NewProduct 1.00 Installation Exit code: 0 Version: 1.00 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1888 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | — | |
MD5:— | SHA256:— | |||
1888 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:DE9496ACA551ADE408EF6466A11833A1 | SHA256:8F9C7FDB3E0BC01024E43A8E242468FC4DD4F74C725E32A883571635203DC10A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1888 | firefox.exe | GET | 200 | 2.16.186.50:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
1888 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2800 | certutil.exe | GET | 301 | 47.52.229.175:80 | http://egtch.com/thm_wp/webshare.exe | HK | — | — | malicious |
2976 | certutil.exe | GET | 200 | 47.52.229.175:80 | http://egtch.com/thm_wp/azor/SyStem.exe | HK | executable | 707 Kb | malicious |
1888 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2976 | certutil.exe | GET | 200 | 47.52.229.175:80 | http://egtch.com/thm_wp/azor/SyStem.exe | HK | executable | 707 Kb | malicious |
1888 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 280 b | whitelisted |
1888 | firefox.exe | POST | 200 | 143.204.208.173:80 | http://ocsp.sca1b.amazontrust.com/ | US | der | 471 b | whitelisted |
1888 | firefox.exe | POST | 200 | 143.204.208.173:80 | http://ocsp.sca1b.amazontrust.com/ | US | der | 471 b | whitelisted |
1888 | firefox.exe | POST | 200 | 143.204.208.173:80 | http://ocsp.sca1b.amazontrust.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1888 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1888 | firefox.exe | 2.16.186.50:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
1888 | firefox.exe | 104.18.38.148:443 | shermore.info | Cloudflare Inc | US | shared |
1888 | firefox.exe | 35.160.108.61:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
1888 | firefox.exe | 52.13.239.123:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
1888 | firefox.exe | 13.35.253.28:443 | snippets.cdn.mozilla.net | — | US | malicious |
1888 | firefox.exe | 104.31.87.73:443 | anonfile.com | Cloudflare Inc | US | unknown |
1888 | firefox.exe | 151.101.2.217:443 | vjs.zencdn.net | Fastly | US | suspicious |
1888 | firefox.exe | 216.58.207.67:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
1888 | firefox.exe | 172.217.22.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
anonfile.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
2976 | certutil.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2976 | certutil.exe | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
2976 | certutil.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2692 | RegAsm.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
2692 | RegAsm.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult |
2692 | RegAsm.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult v.3 |
2692 | RegAsm.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
2692 | RegAsm.exe | A Network Trojan was detected | ET TROJAN AZORult v3.2 Server Response M2 |