File name: | 407a09db9965e60a43e18ef4510ff90ac835a40a6fc3ca638b77975ce387e9cd.xlsx |
Full analysis: | https://app.any.run/tasks/1db3d510-fd3d-43a2-883d-72d4c3ad7563 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | September 11, 2019, 03:04:00 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet |
File info: | Microsoft Excel 2007+ |
MD5: | 965033BDC4BA2DB14DADC2EE2C3E2B7A |
SHA1: | 5E4B324A9978F7CB0447F24C418BEB0FD358783A |
SHA256: | 407A09DB9965E60A43E18EF4510FF90AC835A40A6FC3CA638B77975CE387E9CD |
SSDEEP: | 192:AFZXTbOV8vdQjm11ACcVT/OCu40qfZDaE7nK:AFZm8qm1mCcVbOZ40qfnnK |
.xlsx | | | Excel Microsoft Office Open XML Format document (61.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (31.5) |
.zip | | | ZIP compressed archive (7.2) |
AppVersion: | 12 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
Company: | Hewlett-Packard |
TitlesOfParts: |
|
HeadingPairs: |
|
ScaleCrop: | No |
DocSecurity: | None |
Application: | Microsoft Excel |
ModifyDate: | 2019:09:10 18:03:36Z |
CreateDate: | 2019:09:10 18:03:05Z |
LastModifiedBy: | SLYOPEZ |
Creator: | SLYOPEZ |
---|
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 1641 |
ZipCompressedSize: | 381 |
ZipCRC: | 0x52293798 |
ZipModifyDate: | 2019:09:10 19:21:02 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0002 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3520 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
3348 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3324 | C:\Users\admin\AppData\Roaming\susponmetf569032.exe | C:\Users\admin\AppData\Roaming\susponmetf569032.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3652 | "C:\Users\admin\AppData\Roaming\susponmetf569032.exe" | C:\Users\admin\AppData\Roaming\susponmetf569032.exe | — | susponmetf569032.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3700 | "C:\Users\admin\AppData\Roaming\susponmetf569032.exe" | C:\Users\admin\AppData\Roaming\susponmetf569032.exe | susponmetf569032.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3520 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9B6A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3348 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\chfazo[1].exe | executable | |
MD5:8D4D26BF425757647A3C9714160FC072 | SHA256:6E6B49E1E0C5ABB997E940DC403B2C7BDBBEBA6693702DEEA1EB3A6FC2D9F4B2 | |||
3348 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\susponmetf569032.exe | executable | |
MD5:8D4D26BF425757647A3C9714160FC072 | SHA256:6E6B49E1E0C5ABB997E940DC403B2C7BDBBEBA6693702DEEA1EB3A6FC2D9F4B2 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3700 | susponmetf569032.exe | POST | 200 | 79.124.8.128:80 | http://79.124.8.128/index.php | BG | text | 7 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3348 | EQNEDT32.EXE | 208.115.234.234:443 | yogeshcycles.com | Limestone Networks, Inc. | US | malicious |
3700 | susponmetf569032.exe | 79.124.8.128:80 | — | Transact Payment Services Group - Bulgaria EOOD | BG | malicious |
Domain | IP | Reputation |
---|---|---|
yogeshcycles.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3700 | susponmetf569032.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
3700 | susponmetf569032.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
3700 | susponmetf569032.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
3700 | susponmetf569032.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
3700 | susponmetf569032.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
3700 | susponmetf569032.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |