File name: | ref=RFQ confirmation 5-MT.doc |
Full analysis: | https://app.any.run/tasks/fc0fef33-8dc0-4696-87ad-d8fb49883cb0 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | January 23, 2019, 10:49:08 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | C7AB6D4D0B932768E3FC2AE9535E7A70 |
SHA1: | 81EA1AD7CE1B2341E3FAB511B33EEFD484DD1876 |
SHA256: | 678EC65887C4F3F536DECF2F30B6B3D4ACBB62ABECE77542901EDF7355F9FF38 |
SSDEEP: | 1536:qs5pRDTsNVxJcZMCkDTANiZJ1lMKVDTdNxsJYcMkBDTU7NztJrxMuUisxYtK:qS3DT4FDT8CDTXyDTUhj1UYU |
.rtf | | | Rich Text Format (100) |
---|
LastModifiedBy: | BINGHERO |
---|---|
CreateDate: | 2019:01:23 08:24:00 |
ModifyDate: | 2019:01:23 08:24:00 |
RevisionNumber: | 1 |
TotalEditTime: | - |
Pages: | 1 |
Words: | 15 |
Characters: | 90 |
CharactersWithSpaces: | 104 |
InternalVersionNumber: | 57433 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2992 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\ref=RFQ confirmation 5-MT.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3824 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
4060 | "C:\Users\admin\AppData\Local\Temp\adobepdf.exe" | C:\Users\admin\AppData\Local\Temp\adobepdf.exe | — | EXCEL.EXE |
User: admin Company: Xvid Solutions Integrity Level: MEDIUM Description: Xvid MiniConvert for Windows Exit code: 0 Version: ... | ||||
3156 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2064 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | — | adobepdf.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2228 | "C:\Users\admin\AppData\Local\Temp\adobepdf.exe" | C:\Users\admin\AppData\Local\Temp\adobepdf.exe | — | EXCEL.EXE |
User: admin Company: Xvid Solutions Integrity Level: MEDIUM Description: Xvid MiniConvert for Windows Exit code: 0 Version: ... | ||||
2804 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2204 | "C:\Windows\System32\eventvwr.exe" | C:\Windows\System32\eventvwr.exe | adobepdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3908 | "C:\Users\admin\AppData\Local\Temp\adobepdf.exe" | C:\Users\admin\AppData\Local\Temp\adobepdf.exe | eventvwr.exe | |
User: admin Company: Xvid Solutions Integrity Level: HIGH Description: Xvid MiniConvert for Windows Exit code: 0 Version: ... | ||||
3392 | "C:\Users\admin\AppData\Local\Temp\adobepdf.exe" | C:\Users\admin\AppData\Local\Temp\adobepdf.exe | — | EXCEL.EXE |
User: admin Company: Xvid Solutions Integrity Level: MEDIUM Description: Xvid MiniConvert for Windows Exit code: 0 Version: ... |
PID | Process | Filename | Type | |
---|---|---|---|---|
2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRE851.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3824 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRF04F.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3156 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRFE69.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2804 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR35A.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2500 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR9E2.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2052 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\CVRF41.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2052 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF3872FEE29EC543D2.TMP | — | |
MD5:— | SHA256:— | |||
2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB659805FC53D1A62.TMP | — | |
MD5:— | SHA256:— | |||
2052 | excelcnv.exe | C:\Users\admin\AppData\Local\Temp\~DF29C87965DEE5D812.TMP | — | |
MD5:— | SHA256:— | |||
2992 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFF0A441620DC8970E.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2500 | EXCEL.EXE | GET | 304 | 193.56.28.105:80 | http://uploader.sx/uploads/2019/adobepdf_exe.exe | unknown | — | — | suspicious |
2804 | EXCEL.EXE | GET | 304 | 193.56.28.105:80 | http://uploader.sx/uploads/2019/adobepdf_exe.exe | unknown | — | — | suspicious |
3824 | EXCEL.EXE | GET | 200 | 193.56.28.105:80 | http://uploader.sx/uploads/2019/adobepdf_exe.exe | unknown | executable | 1.32 Mb | suspicious |
2348 | adobepdf.exe | POST | 200 | 111.90.150.170:80 | http://dboyusa.online/index.php | unknown | text | 2 b | malicious |
3676 | server.exe | POST | 200 | 111.90.150.170:80 | http://dboyusa.online/index.php | unknown | binary | 4.27 Mb | malicious |
3576 | server.exe | POST | 200 | 111.90.150.170:80 | http://dboyusa.online/index.php | unknown | binary | 4.27 Mb | malicious |
2348 | adobepdf.exe | POST | 200 | 111.90.150.170:80 | http://dboyusa.online/index.php | unknown | binary | 4.27 Mb | malicious |
3576 | server.exe | POST | 200 | 111.90.150.170:80 | http://dboyusa.online/index.php | unknown | text | 2 b | malicious |
2152 | server.exe | POST | 200 | 111.90.150.170:80 | http://dboyusa.online/index.php | unknown | text | 2 b | malicious |
2712 | server.exe | POST | 200 | 111.90.150.170:80 | http://dboyusa.online/index.php | unknown | binary | 4.27 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2348 | adobepdf.exe | 111.90.150.170:80 | dboyusa.online | Shinjiru Technology Sdn Bhd | — | malicious |
3676 | server.exe | 111.90.150.170:80 | dboyusa.online | Shinjiru Technology Sdn Bhd | — | malicious |
2712 | server.exe | 111.90.150.170:80 | dboyusa.online | Shinjiru Technology Sdn Bhd | — | malicious |
2152 | server.exe | 111.90.150.170:80 | dboyusa.online | Shinjiru Technology Sdn Bhd | — | malicious |
3824 | EXCEL.EXE | 193.56.28.105:80 | uploader.sx | — | — | suspicious |
3840 | server.exe | 111.90.150.170:80 | dboyusa.online | Shinjiru Technology Sdn Bhd | — | malicious |
3576 | server.exe | 111.90.150.170:80 | dboyusa.online | Shinjiru Technology Sdn Bhd | — | malicious |
2804 | EXCEL.EXE | 193.56.28.105:80 | uploader.sx | — | — | suspicious |
2500 | EXCEL.EXE | 193.56.28.105:80 | uploader.sx | — | — | suspicious |
Domain | IP | Reputation |
---|---|---|
uploader.sx |
| suspicious |
dboyusa.online |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3824 | EXCEL.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2348 | adobepdf.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2348 | adobepdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2348 | adobepdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
2348 | adobepdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
2348 | adobepdf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2152 | server.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2152 | server.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2152 | server.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
2152 | server.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |