download: | payload.ps1 |
Full analysis: | https://app.any.run/tasks/23b2e36e-6f70-47b6-912a-7a8ecad0dd01 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | July 11, 2019, 20:55:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with very long lines |
MD5: | 0CF05FC0E2B1F0FEE31B1B0C204BC7EB |
SHA1: | 6C514FAB14234C71B42C871C9E06D536A5B3C482 |
SHA256: | 6548AE6CF74F6009BA0C0D381C9E32D6468ACC18C4BA2F4636F2DA88C9D60DAB |
SSDEEP: | 12288:bSYw5xWAEyddG9OF3yLH2X61XC2HpejxSQ:OYwLWAEUI/j1yjxJ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3100 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\payload.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2800 | "C:\Users\Public\iopl.exe" | C:\Users\Public\iopl.exe | — | powershell.exe |
User: admin Company: wallbound Integrity Level: MEDIUM Description: Wheaton5 Exit code: 0 Version: 1.02.0007 | ||||
2968 | C:\Users\Public\iopl.exe" | C:\Users\Public\iopl.exe | iopl.exe | |
User: admin Company: wallbound Integrity Level: MEDIUM Description: Wheaton5 Exit code: 1337 Version: 1.02.0007 | ||||
3856 | "C:\Users\admin\AppData\Local\Temp\Wda65x1xuIyAJ2PCGlBX1lH2Y.exe" | C:\Users\admin\AppData\Local\Temp\Wda65x1xuIyAJ2PCGlBX1lH2Y.exe | — | explorer.exe |
User: admin Company: PROSTERNUM10 Integrity Level: MEDIUM Description: distrustingly Exit code: 0 Version: 1.08.0005 | ||||
2556 | "C:\Users\admin\AppData\Local\Temp\dwwpQzThss7BXhWUbepfSu2ox.exe" | C:\Users\admin\AppData\Local\Temp\dwwpQzThss7BXhWUbepfSu2ox.exe | explorer.exe | |
User: admin Company: evaporometer Integrity Level: MEDIUM Description: Annalen Exit code: 0 Version: 3.3.6.4 | ||||
3480 | "C:\Users\admin\AppData\Local\Temp\au4T6j7hTuRnPR5SZTr6eSg6R.exe" | C:\Users\admin\AppData\Local\Temp\au4T6j7hTuRnPR5SZTr6eSg6R.exe | — | explorer.exe |
User: admin Company: efurojovobemuj Integrity Level: MEDIUM Description: uxowigivez Exit code: 0 Version: 9.14.19.24 | ||||
2336 | "C:\Users\admin\AppData\Local\Temp\eKK9QZTIl443XGz8wu265cwR6.exe" | C:\Users\admin\AppData\Local\Temp\eKK9QZTIl443XGz8wu265cwR6.exe | — | explorer.exe |
User: admin Company: ofosoteyohijicuyunom Integrity Level: MEDIUM Description: ijehehih Version: 4.5.7.9 | ||||
2056 | C:\Users\admin\AppData\Local\Temp\Wda65x1xuIyAJ2PCGlBX1lH2Y.exe" | C:\Users\admin\AppData\Local\Temp\Wda65x1xuIyAJ2PCGlBX1lH2Y.exe | — | Wda65x1xuIyAJ2PCGlBX1lH2Y.exe |
User: admin Company: PROSTERNUM10 Integrity Level: MEDIUM Description: distrustingly Exit code: 0 Version: 1.08.0005 | ||||
3584 | "C:\Users\admin\AppData\Local\Temp\dwwpQzThss7BXhWUbepfSu2ox.exe" | C:\Users\admin\AppData\Local\Temp\dwwpQzThss7BXhWUbepfSu2ox.exe | dwwpQzThss7BXhWUbepfSu2ox.exe | |
User: admin Company: evaporometer Integrity Level: MEDIUM Description: Annalen Exit code: 0 Version: 3.3.6.4 | ||||
2772 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\AppData\Local\Temp\au4T6j7hTuRnPR5SZTr6eSg6R.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | au4T6j7hTuRnPR5SZTr6eSg6R.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
(PID) Process: | (3100) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3100) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3100) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2968) iopl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2968) iopl.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2968) iopl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iopl_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (2968) iopl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iopl_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (2968) iopl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iopl_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2968) iopl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iopl_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (2968) iopl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\iopl_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3100 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R47M8M6K361DRHYX9W22.temp | — | |
MD5:— | SHA256:— | |||
2968 | iopl.exe | C:\Users\admin\AppData\Local\Temp\au4T6j7hTuRnPR5SZTr6eSg6R.exe | executable | |
MD5:B56FFC613CC952CD5F190331A6B92CFF | SHA256:24D9791DCF78470AE04900EFEBF8F16CF30F7F3BF8824C0C8B357CC57EB03768 | |||
2968 | iopl.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071120190712\index.dat | dat | |
MD5:19A6E04D1F411ED92B5B6D1E1307CCAD | SHA256:6B56095FD77A970940DCECC2CD5EBE6D38B70F7E619D8917FEDAF475EE178EA2 | |||
3100 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF100b0e.TMP | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
2968 | iopl.exe | C:\Users\admin\AppData\Local\Temp\dwwpQzThss7BXhWUbepfSu2ox.exe | executable | |
MD5:01C36962C6080C4F91E2DF0C1C1AD935 | SHA256:27A323D4A2158F76A4E4E27F5E45549963E5A192196EC4C0F8859A5CF4C3B646 | |||
3100 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:4B92A079D7F4DFA0DFE9125E60FE7814 | SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04 | |||
2968 | iopl.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat | dat | |
MD5:D7A950FEFD60DBAA01DF2D85FEFB3862 | SHA256:75D0B1743F61B76A35B1FEDD32378837805DE58D79FA950CB6E8164BFA72073A | |||
3100 | powershell.exe | C:\Users\Public\iopl.exe | executable | |
MD5:2244283161322DA4D7790944ABAFC44D | SHA256:613282B5950002066B84FC5A0FEBA6C8045E83A336C474A3AA24263F3A29CBA3 | |||
2968 | iopl.exe | C:\Users\admin\AppData\Local\Temp\Wda65x1xuIyAJ2PCGlBX1lH2Y.exe | executable | |
MD5:56335A844C5E8833170524D97A01B571 | SHA256:F80A7107EF8BEBD717297AAF2427C405B4809284537F95CA7067FA6122FBE2FA | |||
2968 | iopl.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\kanorgate[1].php | text | |
MD5:936052F95D5AF43B58CBFF3EB7B864F7 | SHA256:41DBC39AC7750D7C7AD5022B276BCBF2FC9F1A13828F22C1000F71937B4DF3A7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | GET | 200 | 188.246.233.25:80 | http://fdghdf344.ru/winidsi34dfg_signed.exe | RU | executable | 556 Kb | malicious |
2968 | iopl.exe | GET | 200 | 188.246.233.25:80 | http://fdghdf344.ru/gz/kanorgate.php?g=-994429369&k=ij8qpGocMAju06bXEjoLA1Fz9 | RU | text | 1.29 Mb | malicious |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | POST | 200 | 188.246.233.25:80 | http://fdghdf344.ru/index.php | RU | binary | 4.28 Mb | malicious |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | GET | 200 | 188.246.233.25:80 | http://fdghdf344.ru/rfds34hfgdf34.exe | RU | executable | 482 Kb | malicious |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | GET | 200 | 188.246.233.25:80 | http://fdghdf344.ru/a2nw234efg354_signed.exe | RU | executable | 359 Kb | malicious |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | POST | 200 | 188.246.233.25:80 | http://fdghdf344.ru/index.php | RU | text | 2 b | malicious |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | GET | 200 | 188.246.233.25:80 | http://fdghdf344.ru/rfsd543fg354gdf_signed.exe | RU | executable | 338 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | 188.246.233.25:80 | fdghdf344.ru | Kassir, Ltd. | RU | malicious |
2968 | iopl.exe | 188.246.233.25:80 | fdghdf344.ru | Kassir, Ltd. | RU | malicious |
Domain | IP | Reputation |
---|---|---|
shell.view |
| unknown |
fdghdf344.ru |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2968 | iopl.exe | A Network Trojan was detected | MALWARE [PTsecurity] Godzilla Loader |
2968 | iopl.exe | A Network Trojan was detected | MALWARE [PTsecurity] Godzilla Loader C2 Response |
2968 | iopl.exe | A Network Trojan was detected | ET TROJAN Windows executable base64 encoded |
2968 | iopl.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload hide in HTML content |
2968 | iopl.exe | Misc activity | SUSPICIOUS [PTsecurity] Executable base64 Payload |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | A Network Trojan was detected | AV TROJAN AZOrult++ CnC Response |
3584 | dwwpQzThss7BXhWUbepfSu2ox.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Response |
Process | Message |
---|---|
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |
dwwpQzThss7BXhWUbepfSu2ox.exe | User32.dll |