download: | qwerty.ps1 |
Full analysis: | https://app.any.run/tasks/dcc7bbba-97f7-478f-971f-665b08df0929 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | February 18, 2019, 20:19:57 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 2A38A8189A48B26EE932B937A8AFE529 |
SHA1: | 08331A029132D44BAD08345751DEFA276B674520 |
SHA256: | 44210681FA26A0DB1BC0E5FBCCBAA979B2A03C5AC6C4919D8E2EBD34486DFDCE |
SSDEEP: | 12288:/+4cJ4QK3tJMCiY7XKD+NZQkhuMW4mPpXx+dtxc:9cJ47tpdu+sH1A/xc |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2960 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\qwerty.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2456 | "C:\Users\Public\hgsw.exe" | C:\Users\Public\hgsw.exe | — | powershell.exe |
User: admin Integrity Level: MEDIUM Description: chiromancy Exit code: 0 Version: 1.09.0001 | ||||
3596 | C:\Users\Public\hgsw.exe" | C:\Users\Public\hgsw.exe | hgsw.exe | |
User: admin Integrity Level: MEDIUM Description: chiromancy Exit code: 0 Version: 1.09.0001 | ||||
3672 | C:\Users\Public\hgsw.exe" | C:\Users\Public\hgsw.exe | hgsw.exe | |
User: admin Integrity Level: MEDIUM Description: chiromancy Version: 1.09.0001 | ||||
3808 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2968 | "C:\Users\Public\hgsw.exe" | C:\Users\Public\hgsw.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: chiromancy Exit code: 0 Version: 1.09.0001 | ||||
2300 | "C:\Users\Public\hgsw.exe" | C:\Users\Public\hgsw.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: chiromancy Exit code: 0 Version: 1.09.0001 | ||||
3224 | "C:\Users\Public\hgsw.exe" | C:\Users\Public\hgsw.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: chiromancy Exit code: 0 Version: 1.09.0001 | ||||
3940 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | hgsw.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2820 | C:\Users\Public\hgsw.exe" | C:\Users\Public\hgsw.exe | — | hgsw.exe |
User: admin Integrity Level: MEDIUM Description: chiromancy Exit code: 0 Version: 1.09.0001 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2960 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\92LKEXTH6CK44CNHIBA0.temp | — | |
MD5:— | SHA256:— | |||
3672 | hgsw.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi | — | |
MD5:— | SHA256:— | |||
3672 | hgsw.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim | — | |
MD5:— | SHA256:— | |||
3672 | hgsw.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.utnldcpjs | — | |
MD5:— | SHA256:— | |||
2960 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3596 | hgsw.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
2960 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF246daf.TMP | binary | |
MD5:6073B6FC66D2E68644893344F6904E4A | SHA256:0F2F61C8DFC3A20C7A5E5133C19BA1493441440E5477254273F28F6F668E64B3 | |||
3672 | hgsw.exe | C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\UTNLDCPJS-DECRYPT.txt | text | |
MD5:6F8981CE932D23E4858C90CE3C2B0493 | SHA256:D7A38967A206C3FF09DA1706A18D82ABC9EE85C19DB4D97F60779748CE9E6948 | |||
3672 | hgsw.exe | C:\$Recycle.Bin\UTNLDCPJS-DECRYPT.txt | text | |
MD5:6F8981CE932D23E4858C90CE3C2B0493 | SHA256:D7A38967A206C3FF09DA1706A18D82ABC9EE85C19DB4D97F60779748CE9E6948 | |||
3672 | hgsw.exe | C:\Recovery\UTNLDCPJS-DECRYPT.txt | text | |
MD5:6F8981CE932D23E4858C90CE3C2B0493 | SHA256:D7A38967A206C3FF09DA1706A18D82ABC9EE85C19DB4D97F60779748CE9E6948 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3596 | hgsw.exe | POST | 200 | 77.221.146.5:80 | http://dsdfgdfsdegdf.ru/index.php | RU | text | 4 b | malicious |
3892 | hgsw.exe | POST | 200 | 77.221.146.5:80 | http://dsdfgdfsdegdf.ru/index.php | RU | text | 4 b | malicious |
3672 | hgsw.exe | GET | 301 | 185.52.2.154:80 | http://www.kakaocorp.link/ | NL | html | 162 b | malicious |
2840 | hgsw.exe | POST | 200 | 77.221.146.5:80 | http://dsdfgdfsdegdf.ru/index.php | RU | text | 4 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2840 | hgsw.exe | 77.221.146.5:80 | dsdfgdfsdegdf.ru | LeaseWeb Netherlands B.V. | RU | malicious |
3672 | hgsw.exe | 185.52.2.154:80 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
3672 | hgsw.exe | 185.52.2.154:443 | www.kakaocorp.link | RouteLabel V.O.F. | NL | suspicious |
3596 | hgsw.exe | 77.221.146.5:80 | dsdfgdfsdegdf.ru | LeaseWeb Netherlands B.V. | RU | malicious |
3892 | hgsw.exe | 77.221.146.5:80 | dsdfgdfsdegdf.ru | LeaseWeb Netherlands B.V. | RU | malicious |
Domain | IP | Reputation |
---|---|---|
dsdfgdfsdegdf.ru |
| malicious |
www.kakaocorp.link |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3596 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
3596 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
3672 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3672 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] Blacklisted GandCrab Ransomware C2 Server |
3672 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] GandCrab v.5 SSL Connection |
2840 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
2840 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
3892 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
3892 | hgsw.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |