File name: | 888 PASS.rar |
Full analysis: | https://app.any.run/tasks/b84c0e5c-92a5-4e14-adf7-052ef69b9e52 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | October 14, 2019, 13:49:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | BBA3C2554A760CFED06A33B8623CDB0D |
SHA1: | BDE296B975BB455FDDC94CC41BFEE78AA3B1F851 |
SHA256: | 7D4DD04C3A74A8714D6DAE89C5698CE302013EE5502B6FF272432E5B3587B214 |
SSDEEP: | 49152:my9NoEK9a+Ur4fmOZ9QfecRxU5HaIpGyWV1ZPUDw/UIN2WI1F+oB:my9g9ahr44mcvU56IwfZPUDw8Rl1F+2 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2108 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\888 PASS.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2252 | "C:\Users\admin\Desktop\bild3r.exe" | C:\Users\admin\Desktop\bild3r.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3352 | "C:\Users\admin\AppData\Local\Temp\build.exe" | C:\Users\admin\AppData\Local\Temp\build.exe | bild3r.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1908 | "C:\Users\admin\AppData\Local\Temp\builder.exe" | C:\Users\admin\AppData\Local\Temp\builder.exe | bild3r.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\888 PASS.rar | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (2108) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\db\DBStruct.txt | text | |
MD5:EB43D9663246416D2708454F5BD457D3 | SHA256:E76FC77548D7B2B831D2F5E07CB79030A64B7D047BF5157B850204AF83B90663 | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\cfg.txt | text | |
MD5:8CB4A7D8763DF191FAA73F9C34B77B20 | SHA256:C0D4963CEA224F8A7694AA0EC331756DBACE03C8F3593F453B7C99FCDC841E12 | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\info\Install.txt | text | |
MD5:04545FEB812A005A8148B871A7C1B19A | SHA256:36A6733B247A85DE00DDE0D5618E5D807EA375C9DD45C2724043E9C7D2E34BF8 | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\html\passwords.html | text | |
MD5:7DB9C6BC5F63A56C0F8B88D430DEBE6B | SHA256:A0ECA1EDA8BE00E5A09F1780CDD551497A925F7A8CDEF4AA3425EE4700940E97 | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\functions.php | text | |
MD5:89FA06E4714729E3DE36DE84833CFFCE | SHA256:CDD71F07BD8F6CF11354B954930FD403341C4BA12B5D57A49A89761C5A699CCE | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\info\db_struct.txt | text | |
MD5:D7121AFFCD0F6AB92C3931A7D96017CB | SHA256:053D139D7444BD577D594686D633DC3EDCB4E22BDA6BF711F0356C10FC31FA16 | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\html\fullpage.html | html | |
MD5:49458784C399C9A9875C1BEBDC102524 | SHA256:BA95880380CF75D5DE3F9AD81E9A2337AB812FBDA227FB9BE14148530638368E | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\css\style.css | text | |
MD5:64A70823B4F5E6B83D0B2822F5037473 | SHA256:8F40A216A2369E9F8D732A52254D8BA090C920E6CC90378A7747702C90B2DEA4 | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\html\menu.html | html | |
MD5:4CAA0E5DBA13BF7D271FB75AB36B364F | SHA256:871589FC3E048E4B3DD39F425CDFDA0619AE24CEF6018F887878BC3B4A1029D1 | |||
2108 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2108.49125\Panel\html\reports.html | text | |
MD5:F44F74C0DAE5C545804C9CD8984EC147 | SHA256:326746CE7FCEC6D63B2F7B9A4A46F684DFAF7E785EBC2626AA71501DEE791C9A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3352 | build.exe | POST | 200 | 194.61.0.3:80 | http://194.61.0.3/gate.php | unknown | text | 181 b | malicious |
3352 | build.exe | POST | 200 | 194.61.0.3:80 | http://194.61.0.3/gate.php | unknown | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3352 | build.exe | 194.61.0.3:80 | — | — | — | malicious |
PID | Process | Class | Message |
---|---|---|---|
3352 | build.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |
3352 | build.exe | A Network Trojan was detected | ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad |
3352 | build.exe | A Network Trojan was detected | REMOTE [PTsecurity] AZORULT |
3352 | build.exe | A Network Trojan was detected | REMOTE [PTsecurity] AZORULT |
3352 | build.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult stealer CnC Response (for any 3byte XOR key) |
3352 | build.exe | A Network Trojan was detected | ET TROJAN Likely Zbot Generic Request to gate.php Dotted-Quad |
3352 | build.exe | A Network Trojan was detected | REMOTE [PTsecurity] AZORULT |
3352 | build.exe | A Network Trojan was detected | ET TROJAN Trojan Generic - POST To gate.php with no accept headers |