analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

INVOICE.doc

Full analysis: https://app.any.run/tasks/216c78da-91a9-4743-b231-2b6f453ea714
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: January 18, 2019, 05:09:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
ole-embedded
trojan
rat
azorult
opendir
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

0D23E732B9C94A63054DE00FEDAFACB4

SHA1:

3A25FC868C01D3D75EF0FC27D642B785A9AD62E6

SHA256:

63C5CE3013980E8412918D25F41E1CA43D52EFE66E540B0E7AAC1C96569DBD2C

SSDEEP:

12288:4h6jIdvQBYa0G2h5U3YOteYKixFKXtyBe6Q1OjIROdXPZ:wfdvUYaHoqTtBnFKXof3dB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3060)

    • Runs app for hidden code execution

      • cmd.exe (PID: 2980)
      • cmd.exe (PID: 1248)

    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3060)

    • Application was dropped or rewritten from another process

      • saver.scr (PID: 2968)

    • AZORULT was detected

      • saver.scr (PID: 2968)

    • Connects to CnC server

      • saver.scr (PID: 2968)

    • Actions looks like stealing of personal data

      • saver.scr (PID: 2968)

    • Loads dropped or rewritten executable

      • saver.scr (PID: 2968)

    • Stealing of credential data

      • saver.scr (PID: 2968)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 2980)
      • cmd.exe (PID: 1248)
      • cmd.exe (PID: 2948)
      • saver.scr (PID: 2968)

    • Executes scripts

      • cmd.exe (PID: 2948)

    • Executable content was dropped or overwritten

      • cscript.exe (PID: 2320)
      • saver.scr (PID: 2968)

    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 2948)

    • Reads the machine GUID from the registry

      • cscript.exe (PID: 2320)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2584)
      • cmd.exe (PID: 2948)
      • cmd.exe (PID: 2724)
      • cmd.exe (PID: 2512)
      • cmd.exe (PID: 2444)
      • cmd.exe (PID: 1472)
      • cmd.exe (PID: 2944)

    • Application launched itself

      • cmd.exe (PID: 2948)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2948)

    • Starts Microsoft Office Application

      • cmd.exe (PID: 2948)

    • Reads the cookies of Google Chrome

      • saver.scr (PID: 2968)

  • INFO

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 3060)
      • WINWORD.EXE (PID: 3056)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3060)
      • WINWORD.EXE (PID: 3056)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3060)
      • WINWORD.EXE (PID: 3056)

    • Dropped object may contain Bitcoin addresses

      • cscript.exe (PID: 2320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
42
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winword.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs cmd.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs timeout.exe no specs cscript.exe taskkill.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs #AZORULT saver.scr winword.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3060"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\INVOICE.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
1
Version:
14.0.5123.5000
2980"C:\Windows\System32\cmd.exe" /C CmD < "C:\Users\admin\AppData\Local\Temp\ufFm.cMD"C:\Windows\System32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2656CmD C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2948C:\Windows\system32\cmd.exe /K itnqknf5.CMDC:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2712TIMEOUT /T 1C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2080TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2732TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2676TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2704TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2112TIMEOUT /T 1 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
16 459
Read events
16 049
Write events
0
Delete events
0

Modification events

No data
Executable files
49
Suspicious files
4
Text files
22
Unknown types
7

Dropped files

PID
Process
Filename
Type
3060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRFC2F.tmp.cvr
MD5:
SHA256:
2948cmd.exeC:\Users\admin\Desktop\INVOICE.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
2320cscript.exeC:\Users\admin\AppData\Local\Temp\gondi.doctext
MD5:3790051BC2F564F6337614417202E89E
SHA256:A3C8998B02922559F2BBA9BA6E6F8C4C356AD7232370D430EDB1F63C74402172
3060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\INVOICE.LNKlnk
MD5:2DFA724DE8B4E2B8D9631BB1F1265B98
SHA256:E1E87656D93CE0292602A3D875D4A4E5E257B1E9AA79D07E7D3EFFD5A6933023
3060WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:EA0BA5BF7450365A8D7B348D6D243C17
SHA256:23C3104F855AA1D237D3E78F943459763FA30DD6FFDA5B33A0C4F1848D042D3D
3060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\itnqknf5.cmdtext
MD5:0F449E1063DB3EA5414F296531B7311C
SHA256:913EEC785D953BE2DEE24FD0AF2242F72B7FC6081C6B6AFA4B9D4BF2678339CE
3060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\uffm.cmdtext
MD5:0A329C340B71DBC60D29F2419ABCB9F9
SHA256:42F9DE6445D938BF8797420D9D2649926F23F2583DEC9C022F4E121AAE566519
3060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\a.ScTxml
MD5:FDA8A7B4CDFD1BD4814D88E55F49FB79
SHA256:F05C67D7348881159DF452E6A2037A776307928DAE67363EC06FA07460A814A2
3060WINWORD.EXEC:\Users\admin\AppData\Local\Temp\opa.zipcompressed
MD5:DC628457E94320CC37CD914D50279F26
SHA256:4A6CC0E762EB718D9DAC430F556369DAE938DF805BB62FF26161167F481A0376
2948cmd.exeC:\Users\admin\AppData\Local\Temp\_.vbstext
MD5:877398741BDB51C85EF1F5EB827ACC48
SHA256:957748ED20A0BB1442669E6470F189A902487ECFE69D093B1BB63A24063A8FC6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2968
saver.scr
POST
200
200.63.40.2:80
http://chuxagama.com/web-obtain/Panel/five/index.php
PA
text
2 b
malicious
2968
saver.scr
POST
200
200.63.40.2:80
http://chuxagama.com/web-obtain/Panel/five/index.php
PA
binary
4.27 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2968
saver.scr
200.63.40.2:80
chuxagama.com
Panamaserver.com
PA
malicious

DNS requests

Domain
IP
Reputation
chuxagama.com
  • 200.63.40.2
malicious

Threats

PID
Process
Class
Message
2968
saver.scr
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
2968
saver.scr
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
2968
saver.scr
A Network Trojan was detected
MALWARE [PTsecurity] AZORult encrypted PE file
2968
saver.scr
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
2968
saver.scr
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
INVOICE.doc