File name: | PUBG TE CFFHOOK.zip |
Full analysis: | https://app.any.run/tasks/a760940f-a979-4ed8-961c-2b3e70757c2e |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | June 12, 2019, 09:42:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | 6E4058639EFB8EFCB30C4D50D378BE8C |
SHA1: | 5989574900652220378BF7B4B768338D98EDC87A |
SHA256: | 486861C1E824E01FCF1CB8D43211487D8135F12D82F7D5C6472DEF201C53482F |
SSDEEP: | 196608:y4jFmA8q5Cn7eLB07OBY6jvZO5NxIzMUL63n0ajF:bFZ27etjBdjvExIAWAF |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | PUBG TE CFFHOOK/ |
---|---|
ZipUncompressedSize: | - |
ZipCompressedSize: | - |
ZipCRC: | 0x00000000 |
ZipModifyDate: | 2019:06:10 15:14:16 |
ZipCompression: | None |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3608 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PUBG TE CFFHOOK.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
3708 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3520 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\READMY.txt | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1108 | "C:\Users\admin\Desktop\PUBG TE CFFHOOK.exe" | C:\Users\admin\Desktop\PUBG TE CFFHOOK.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
1048 | "C:\Users\admin\Desktop\PUBG TE CFFHOOK.exe" | C:\Users\admin\Desktop\PUBG TE CFFHOOK.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM | ||||
3048 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\HackLoader.dll | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3608.7828\PUBG TE CFFHOOK\1.jpg | — | |
MD5:— | SHA256:— | |||
3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3608.7828\PUBG TE CFFHOOK\HackLoader.dll | — | |
MD5:— | SHA256:— | |||
3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3608.7828\PUBG TE CFFHOOK\PUBG TE CFFHOOK.exe | — | |
MD5:— | SHA256:— | |||
3608 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3608.7828\PUBG TE CFFHOOK\READMY.txt | — | |
MD5:— | SHA256:— | |||
1108 | PUBG TE CFFHOOK.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E479444BDD4AE4577FD32314A68F5D28 | SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719 | |||
1108 | PUBG TE CFFHOOK.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-processenvironment-l1-1-0.dll | executable | |
MD5:5F73A814936C8E7E4A2DFD68876143C8 | SHA256:96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E | |||
1108 | PUBG TE CFFHOOK.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-libraryloader-l1-1-0.dll | executable | |
MD5:D0873E21721D04E20B6FFB038ACCF2F1 | SHA256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE | |||
1108 | PUBG TE CFFHOOK.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:88FF191FD8648099592ED28EE6C442A5 | SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D | |||
1108 | PUBG TE CFFHOOK.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:502263C56F931DF8440D7FD2FA7B7C00 | SHA256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231 | |||
1108 | PUBG TE CFFHOOK.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:94AE25C7A5497CA0BE6882A00644CA64 | SHA256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | POST | 200 | 185.104.45.17:80 | http://xp1lht2kd6h.icu/index.php | GB | text | 2 b | malicious |
1108 | PUBG TE CFFHOOK.exe | POST | 200 | 185.104.45.17:80 | http://xp1lht2kd6h.icu/index.php | GB | binary | 4.27 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1108 | PUBG TE CFFHOOK.exe | 185.104.45.17:80 | xp1lht2kd6h.icu | Inhosted Lp | GB | malicious |
— | — | 185.104.45.17:80 | xp1lht2kd6h.icu | Inhosted Lp | GB | malicious |
Domain | IP | Reputation |
---|---|---|
xp1lht2kd6h.icu |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .icu Domain |
1108 | PUBG TE CFFHOOK.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
1108 | PUBG TE CFFHOOK.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
1108 | PUBG TE CFFHOOK.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
1108 | PUBG TE CFFHOOK.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.icu domain |
1108 | PUBG TE CFFHOOK.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Response |
— | — | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
— | — | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.icu domain |
— | — | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
— | — | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
Process | Message |
---|---|
PUBG TE CFFHOOK.exe |
%s------------------------------------------------
--- WinLicense Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
PUBG TE CFFHOOK.exe |
%s------------------------------------------------
--- WinLicense Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|