download: | qwerty.ps1 |
Full analysis: | https://app.any.run/tasks/39d9bbc2-d540-4bf6-a526-f0ab5a0b2590 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | February 18, 2019, 19:59:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 2A38A8189A48B26EE932B937A8AFE529 |
SHA1: | 08331A029132D44BAD08345751DEFA276B674520 |
SHA256: | 44210681FA26A0DB1BC0E5FBCCBAA979B2A03C5AC6C4919D8E2EBD34486DFDCE |
SSDEEP: | 12288:/+4cJ4QK3tJMCiY7XKD+NZQkhuMW4mPpXx+dtxc:9cJ47tpdu+sH1A/xc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2852 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\qwerty.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2476 | "C:\Users\Public\ajxn.exe" | C:\Users\Public\ajxn.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: chiromancy Exit code: 0 Version: 1.09.0001 | ||||
3016 | C:\Users\Public\ajxn.exe" | C:\Users\Public\ajxn.exe | ajxn.exe | |
User: admin Integrity Level: MEDIUM Description: chiromancy Version: 1.09.0001 | ||||
1380 | C:\Users\Public\ajxn.exe" | C:\Users\Public\ajxn.exe | ajxn.exe | |
User: admin Integrity Level: MEDIUM Description: chiromancy Version: 1.09.0001 | ||||
884 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | ajxn.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2932 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2852 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3FV7D4V0ZM7VCWAM0ENP.temp | — | |
MD5:— | SHA256:— | |||
2852 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF198756.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2852 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2476 | ajxn.exe | C:\Users\admin\AppData\Local\Temp\~DF068A8C1CF5B7DBA1.TMP | binary | |
MD5:BBF514ACFBD61D697C5E7114E513616A | SHA256:9354ADF788F72A0E0D873091C6B061200B58C939FB002801DF2E369F78D9AFDC | |||
2852 | powershell.exe | C:\Users\Public\ajxn.exe | executable | |
MD5:68F81C8661C6466621CEFE3AAC8070EA | SHA256:54F8C8FD97967B329DE39FCD9FD262C30E945BA838DBCDA301DCFA1096CBE169 | |||
3016 | ajxn.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:6D778E83F74A4C7FE4C077DC279F6867 | SHA256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325 | |||
3016 | ajxn.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 | |||
3016 | ajxn.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:88FF191FD8648099592ED28EE6C442A5 | SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D | |||
3016 | ajxn.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-localization-l1-2-0.dll | executable | |
MD5:EFF11130BFE0D9C90C0026BF2FB219AE | SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97 | |||
3016 | ajxn.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:94AE25C7A5497CA0BE6882A00644CA64 | SHA256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3016 | ajxn.exe | POST | — | 188.225.58.33:80 | http://dsdfgdfsdegdf.ru/index.php | RU | — | — | malicious |
1380 | ajxn.exe | GET | 301 | 185.52.2.154:80 | http://www.kakaocorp.link/ | NL | html | 162 b | malicious |
3016 | ajxn.exe | POST | 200 | 188.225.58.33:80 | http://dsdfgdfsdegdf.ru/index.php | RU | binary | 4.27 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1380 | ajxn.exe | 185.52.2.154:443 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
3016 | ajxn.exe | 188.225.58.33:80 | dsdfgdfsdegdf.ru | TimeWeb Ltd. | RU | suspicious |
1380 | ajxn.exe | 185.52.2.154:80 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
dsdfgdfsdegdf.ru |
| malicious |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3016 | ajxn.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
3016 | ajxn.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
3016 | ajxn.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Response |
3016 | ajxn.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
3016 | ajxn.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
1380 | ajxn.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
1380 | ajxn.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
1380 | ajxn.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab v.5 SSL Connection |