File name: | setup.exe |
Full analysis: | https://app.any.run/tasks/9f7d5742-5ae9-45b5-b19f-d5d708de6584 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | December 18, 2018, 07:44:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | FC6B63EFD66BB6F665E5BA8DE18C95A7 |
SHA1: | D08C7FC8BB9CCE8DC29B70BD5FDF51761A15B566 |
SHA256: | 5CC0978DF7E026F3A580B05ED43AFDB106E101122D7C1D38776990E355BE06BD |
SSDEEP: | 3072:QwzGwcd9ECNE+y3sNQtd26GfxEwbc3Bn0TA8vzZ4xk74Glmzss+p:d4EC+V3sNW4fxT9AoCxqiAp |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2018:03:22 20:50:44+01:00 |
PEType: | PE32 |
LinkerVersion: | 14 |
CodeSize: | 65024 |
InitializedDataSize: | 159744 |
UninitializedDataSize: | - |
EntryPoint: | 0x65db |
OSVersion: | 5.1 |
ImageVersion: | - |
SubsystemVersion: | 5.1 |
Subsystem: | Windows GUI |
FileVersionNumber: | 7.0.0.0 |
ProductVersionNumber: | 3.0.0.0 |
FileFlagsMask: | 0x004f |
FileFlags: | (none) |
FileOS: | Unknown (0x40534) |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Unknown (457A) |
CharacterSet: | Unknown (A56B) |
FileVersion: | 9.7.6.35 |
InternalName: | cipab.exe |
LegalCopyright: | Copyright (C) 2017, guzin |
ProductVersion: | 9.7.6.35 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2928 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 3221226540 | ||||
1020 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | explorer.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3972 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "setup.exe" | C:\Windows\system32\cmd.exe | — | setup.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2688 | C:\Windows\system32\timeout.exe 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (1020) setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\setup_RASMANCS |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E479444BDD4AE4577FD32314A68F5D28 | SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719 | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:88FF191FD8648099592ED28EE6C442A5 | SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:94AE25C7A5497CA0BE6882A00644CA64 | SHA256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-processthreads-l1-1-0.dll | executable | |
MD5:A2D7D7711F9C0E3E065B2929FF342666 | SHA256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-interlocked-l1-1-0.dll | executable | |
MD5:D97A1CB141C6806F0101A5ED2673A63D | SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-string-l1-1-0.dll | executable | |
MD5:12CC7D8017023EF04EBDD28EF9558305 | SHA256:7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311 | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:E2F648AE40D234A3892E1455B4DBBE05 | SHA256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03 | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-localization-l1-2-0.dll | executable | |
MD5:EFF11130BFE0D9C90C0026BF2FB219AE | SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97 | |||
1020 | setup.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:502263C56F931DF8440D7FD2FA7B7C00 | SHA256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1020 | setup.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json | DE | text | 347 b | shared |
1020 | setup.exe | POST | 200 | 212.47.243.9:80 | http://212.47.243.9/8AC503FE-7249-4FCF-883A-897E5DBB6D9E/index.php | FR | text | 2 b | malicious |
1020 | setup.exe | POST | 200 | 212.47.243.9:80 | http://212.47.243.9/8AC503FE-7249-4FCF-883A-897E5DBB6D9E/index.php | FR | binary | 4.27 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1020 | setup.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
1020 | setup.exe | 212.47.243.9:80 | — | Online S.a.s. | FR | malicious |
Domain | IP | Reputation |
---|---|---|
ip-api.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
1020 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
1020 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
1020 | setup.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
1020 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Response |
1020 | setup.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
1020 | setup.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |