analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669

Full analysis: https://app.any.run/tasks/55f80ba2-33ec-403b-b677-65ab6c1d513c
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 14:06:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
floxif
loader
rat
azorult
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

292A2CA9AB51FDE1409D6A813F73972D

SHA1:

D889A7EEBD9F9618B4E88363198E1A1D36778890

SHA256:

6BC4B5060DFC123E96976DAFBBFC06473F54A9C8B297167CB75EE5470494D669

SSDEEP:

12288:3ehdbSgAnQPVZyuTJpHCB3CNsJVK6e7IMKdoqaxJQtQILOBjvrEH7e:3CbdJZyuTJpHCt7MrI5yqC6tbUrEH7e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • Loads dropped or rewritten executable

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)
      • updatewin2.exe (PID: 2740)
      • updatewin1.exe (PID: 3440)
      • updatewin1.exe (PID: 3148)
      • updatewin.exe (PID: 3624)
      • conhost.exe (PID: 3048)
      • conhost.exe (PID: 636)
      • powershell.exe (PID: 2888)
      • 5.exe (PID: 2588)
      • conhost.exe (PID: 3504)
      • powershell.exe (PID: 3196)
      • powershell.exe (PID: 3344)
      • conhost.exe (PID: 2280)
      • cmd.exe (PID: 1216)
      • mpcmdrun.exe (PID: 2616)
      • conhost.exe (PID: 3984)
      • conhost.exe (PID: 272)
      • cmd.exe (PID: 1860)
      • timeout.exe (PID: 3156)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 1480)

    • Changes the autorun value in the registry

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • Loads the Task Scheduler COM API

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • Changes AppInit_DLLs value (autorun option)

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • FLOXIF was detected

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • Connects to CnC server

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 5.exe (PID: 2588)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 1480)

    • Application was dropped or rewritten from another process

      • updatewin1.exe (PID: 3440)
      • updatewin2.exe (PID: 2740)
      • updatewin1.exe (PID: 3148)
      • updatewin.exe (PID: 3624)
      • 5.exe (PID: 2588)

    • Downloads executable files from the Internet

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • Task Manager has been disabled (taskmgr)

      • updatewin1.exe (PID: 3148)

    • AZORULT was detected

      • 5.exe (PID: 2588)

    • Actions looks like stealing of personal data

      • 5.exe (PID: 2588)

  • SUSPICIOUS

    • Changes tracing settings of the file or console

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)

    • Creates files in the user directory

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • powershell.exe (PID: 2888)
      • powershell.exe (PID: 3196)
      • powershell.exe (PID: 3344)

    • Adds / modifies Windows certificates

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • Executable content was dropped or overwritten

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)
      • 5.exe (PID: 2588)

    • Uses ICACLS.EXE to modify access control list

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)

    • Application launched itself

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 2532)
      • updatewin1.exe (PID: 3440)
      • powershell.exe (PID: 3196)

    • Creates files in the program directory

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)

    • Executes PowerShell scripts

      • updatewin1.exe (PID: 3148)
      • powershell.exe (PID: 3196)

    • Starts CMD.EXE for commands execution

      • updatewin1.exe (PID: 3148)
      • 5.exe (PID: 2588)

    • Reads the cookies of Google Chrome

      • 5.exe (PID: 2588)

    • Reads the cookies of Mozilla Firefox

      • 5.exe (PID: 2588)

    • Starts CMD.EXE for self-deleting

      • 5.exe (PID: 2588)

    • Executed via Task Scheduler

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 1480)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe (PID: 3840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:03:20 13:47:13+01:00
PEType: PE32
LinkerVersion: 9
CodeSize: 596992
InitializedDataSize: 5196288
UninitializedDataSize: -
EntryPoint: 0x58fed
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2018 12:47:13

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 20-Mar-2018 12:47:13
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00091BEC
0x00091C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.25611
.rdata
0x00093000
0x0000832F
0x00008400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.6841
.data
0x0009C000
0x004DBFD0
0x00002C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.26125
.idata
0x00578000
0x00001E8B
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.71801
.rsrc
0x0057A000
0x00009520
0x00009600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.21499
.reloc
0x00584000
0x00005AD4
0x00005C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
2.92596

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.42644
3752
UNKNOWN
UNKNOWN
RT_ICON
2
5.19506
2216
UNKNOWN
UNKNOWN
RT_ICON
3
5.00958
1736
UNKNOWN
UNKNOWN
RT_ICON
4
4.56216
1384
UNKNOWN
UNKNOWN
RT_ICON
5
3.5548
9640
UNKNOWN
UNKNOWN
RT_ICON
6
3.96299
4264
UNKNOWN
UNKNOWN
RT_ICON
7
4.052
2440
UNKNOWN
UNKNOWN
RT_ICON
8
4.11511
1128
UNKNOWN
UNKNOWN
RT_ICON
11
3.27347
1818
UNKNOWN
UNKNOWN
RT_STRING
111
2.85812
118
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
22
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start #FLOXIF 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe icacls.exe no specs #FLOXIF 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe updatewin1.exe no specs updatewin2.exe no specs updatewin1.exe no specs updatewin.exe no specs powershell.exe no specs conhost.exe no specs #AZORULT 5.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs mpcmdrun.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs timeout.exe no specs 6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe

Process information

PID
CMD
Path
Indicators
Parent process
2532"C:\Users\admin\AppData\Local\Temp\6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe" C:\Users\admin\AppData\Local\Temp\6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3536icacls "C:\Users\admin\AppData\Local\81c7112d-c75d-4e2f-99a0-a0cda43bb0c9" /deny *S-1-1-0:(OI)(CI)(DE,DC)C:\Windows\system32\icacls.exe6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3840"C:\Users\admin\AppData\Local\Temp\6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe" --Admin IsNotAutoStart IsNotTaskC:\Users\admin\AppData\Local\Temp\6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3440"C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin1.exe" C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin1.exe6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2740"C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin2.exe" C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin2.exe6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3148"C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin1.exe" --AdminC:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin1.exeupdatewin1.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3624"C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin.exe" C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\updatewin.exe6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
User:
admin
Integrity Level:
HIGH
2888powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSignedC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeupdatewin1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3048\??\C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2588"C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\5.exe" C:\Users\admin\AppData\Local\217d7faa-8daa-4e21-8a2a-fc58701cdefd\5.exe
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
1 885
Read events
1 600
Write events
0
Delete events
0

Modification events

No data
Executable files
58
Suspicious files
6
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\geo[1].json
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Qemu-ga\libglib-2.0-0.dll.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Qemu-ga\intl.dll.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Qemu-ga\libgcc_s_sjlj-1.dll.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Qemu-ga\libssp-0.dll.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Qemu-ga\qemu-ga.exe.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Internet Explorer\ieproxy.dll.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL.tmp
MD5:
SHA256:
38406bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\updatewin1[1].exe
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
14
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2532
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
104.200.23.95:80
http://www.aieov.com/logo.gif
US
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
200
46.232.113.12:80
http://pool.ug/tesptc/penelop/updatewin1.exe
RU
executable
272 Kb
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
200
46.232.113.12:80
http://pool.ug/tesptc/penelop/updatewin.exe
RU
executable
277 Kb
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
404
46.232.113.12:80
http://pool.ug/tesptc/penelop/3.exe
RU
html
218 b
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
404
46.232.113.12:80
http://root.ug/Asjdh375yhSdf3SIudfh74hjsdfpenelop14/Asdghui37dfui/get.php?pid=2485E9F082250E269EA0EF635E0D382D&first=true
RU
html
256 b
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
200
46.232.113.12:80
http://pool.ug/tesptc/penelop/updatewin2.exe
RU
executable
274 Kb
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
200
46.232.113.12:80
http://pool.ug/tesptc/penelop/5.exe
RU
executable
192 Kb
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
200
104.200.22.130:80
http://www.aieov.com/logo.gif
US
image
14 b
malicious
1480
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
404
46.232.113.12:80
http://root.ug/Asjdh375yhSdf3SIudfh74hjsdfpenelop14/Asdghui37dfui/get.php?pid=2485E9F082250E269EA0EF635E0D382D
RU
html
256 b
malicious
1480
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
GET
404
46.232.113.12:80
http://root.ug/Asjdh375yhSdf3SIudfh74hjsdfpenelop14/Asdghui37dfui/get.php?pid=2485E9F082250E269EA0EF635E0D382D
RU
html
256 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2532
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
77.123.139.189:443
api.2ip.ua
Volia
UA
unknown
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
46.232.113.12:80
pool.ug
MAROSNET Telecommunication Company LLC
RU
malicious
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
77.123.139.189:443
api.2ip.ua
Volia
UA
unknown
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
104.200.22.130:80
www.aieov.com
Linode, LLC
US
malicious
2588
5.exe
46.232.113.12:80
pool.ug
MAROSNET Telecommunication Company LLC
RU
malicious
1480
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
77.123.139.189:443
api.2ip.ua
Volia
UA
unknown
2532
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
104.200.23.95:80
www.aieov.com
Linode, LLC
US
malicious
1480
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
46.232.113.12:80
pool.ug
MAROSNET Telecommunication Company LLC
RU
malicious

DNS requests

Domain
IP
Reputation
api.2ip.ua
  • 77.123.139.189
shared
5isohu.com
whitelisted
www.aieov.com
  • 104.200.23.95
  • 104.200.22.130
malicious
pool.ug
  • 46.232.113.12
malicious
root.ug
  • 46.232.113.12
malicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY External IP Address Lookup DNS Query
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
A Network Trojan was detected
ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
Misc activity
ET INFO Packed Executable Download
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer)
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-PSW.Win32.Coins.nrc
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
A Network Trojan was detected
ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
A Network Trojan was detected
ET CURRENT_EVENTS Potential Dridex.Maldoc Minimal Executable Request
3840
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
11 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6bc4b5060dfc123e96976dafbbfc06473f54a9c8b297167cb75ee5470494d669