File name: | 6306868794.bin.zip |
Full analysis: | https://app.any.run/tasks/b6bb7953-73ef-4365-ae20-a7be063aa48a |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | September 11, 2019, 08:31:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | B63A1D3001CC1A5BCC2104ECB8EB5D53 |
SHA1: | D04EBC24CC00EA67870C9EEF92DE7C5ADF4C65D5 |
SHA256: | 56B423E8F7E99CE24A6250507B1AC9E4476837A32F0518EBC5474EAEB9ECAA78 |
SSDEEP: | 12288:OZVZvijaJxMV5DH6Asfuez5GxNmHUguf4OkEokPhuDIX7dCjBb3RcN7VI:2iGJxMV5ThsGeFykCf4OIiusXhCh3RcM |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286 |
---|---|
ZipUncompressedSize: | 1007104 |
ZipCompressedSize: | 715335 |
ZipCRC: | 0xe53107ea |
ZipModifyDate: | 2019:09:10 17:44:24 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0001 |
ZipRequiredVersion: | 788 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2736 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6306868794.bin.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2252 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286exe | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3668 | "C:\Users\admin\Desktop\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe" | C:\Users\admin\Desktop\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3700 | icacls "C:\Users\admin\AppData\Local\d176e5c1-96af-483e-8645-568277966c39" /deny *S-1-1-0:(OI)(CI)(DE,DC) | C:\Windows\system32\icacls.exe | — | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2572 | "C:\Users\admin\Desktop\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe" --Admin IsNotAutoStart IsNotTask | C:\Users\admin\Desktop\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | |
User: admin Integrity Level: HIGH | ||||
3388 | "C:\Users\admin\AppData\Local\a8b9b2db-96a0-49c1-a068-9e8cef2dbf18\4.exe" | C:\Users\admin\AppData\Local\a8b9b2db-96a0-49c1-a068-9e8cef2dbf18\4.exe | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | |
User: admin Integrity Level: HIGH Exit code: 0 |
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\6306868794.bin.zip | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (2736) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3668 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\geo[1].json | — | |
MD5:— | SHA256:— | |||
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\geo[1].json | — | |
MD5:— | SHA256:— | |||
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\get[1].php | — | |
MD5:— | SHA256:— | |||
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\4[1].exe | — | |
MD5:— | SHA256:— | |||
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\Users\admin\AppData\Local\a8b9b2db-96a0-49c1-a068-9e8cef2dbf18\4.exe | executable | |
MD5:37CC975A1257BF260308FE30E1D3E7EE | SHA256:CBC5C6867C6CAEAA956CCF8828D1618422DC87B21FD3A78653A0C601B29533A8 | |||
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\SystemID\PersonalID.txt | text | |
MD5:A3FFFCE7F3883000803421BF5B26E1B0 | SHA256:7E5F6DFE2DCB1EF15B593F1B4A0C53FC9E2E96A940156DAB9D6283AC40809D50 | |||
2736 | WinRAR.exe | C:\Users\admin\Desktop\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286 | executable | |
MD5:E15E3CFA542459E8D87E8BFDF70A38A1 | SHA256:C2716FCC735A4F1B9FCE29CB1DC20A26969B71F615E2B119E9680F015379D286 | |||
3668 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\Users\admin\AppData\Local\d176e5c1-96af-483e-8645-568277966c39\c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | executable | |
MD5:E15E3CFA542459E8D87E8BFDF70A38A1 | SHA256:C2716FCC735A4F1B9FCE29CB1DC20A26969B71F615E2B119E9680F015379D286 | |||
3668 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | GET | 404 | 8.208.13.6:80 | http://dell1.ug/files/cost/updatewin1.exe | US | html | 223 b | malicious |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | GET | 404 | 8.208.13.6:80 | http://dell1.ug/files/cost/updatewin2.exe | US | html | 223 b | malicious |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | GET | 404 | 8.208.13.6:80 | http://dell1.ug/files/cost/3.exe | US | html | 214 b | malicious |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | GET | 200 | 8.208.13.6:80 | http://dell1.ug/files/cost/4.exe | US | executable | 228 Kb | malicious |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | GET | 200 | 8.208.13.6:80 | http://dell1.ug/hosuhf37t5iqy3guygg6w4guiner/37tiuywgw/get.php?pid=2485E9F082250E269EA0EF635E0D382D&first=true | US | text | 560 b | malicious |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | GET | 404 | 8.208.13.6:80 | http://dell1.ug/files/cost/updatewin.exe | US | html | 222 b | malicious |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | GET | 404 | 8.208.13.6:80 | http://dell1.ug/files/cost/5.exe | US | html | 214 b | malicious |
3388 | 4.exe | POST | 200 | 194.87.238.60:80 | http://dell2.ug/1/index.php | RU | text | 4 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | 77.123.139.189:443 | api.2ip.ua | Volia | UA | unknown |
3668 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | 77.123.139.189:443 | api.2ip.ua | Volia | UA | unknown |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | 8.208.13.6:80 | dell1.ug | Level 3 Communications, Inc. | US | malicious |
3388 | 4.exe | 194.87.238.60:80 | dell2.ug | JSC Mediasoft ekspert | RU | malicious |
Domain | IP | Reputation |
---|---|---|
api.2ip.ua |
| shared |
dell1.ug |
| malicious |
dell2.ug |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET POLICY External IP Address Lookup DNS Query |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET TROJAN Potential Dridex.Maldoc Minimal Executable Request |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET TROJAN Potential Dridex.Maldoc Minimal Executable Request |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-PSW.Win32.Coins.nrc |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET TROJAN Potential Dridex.Maldoc Minimal Executable Request |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET TROJAN Potential Dridex.Maldoc Minimal Executable Request |
2572 | c2716fcc735a4f1b9fce29cb1dc20a26969b71f615e2b119e9680f015379d286.exe | A Network Trojan was detected | ET TROJAN Single char EXE direct download likely trojan (multiple families) |