File name: | Product Specication.7z |
Full analysis: | https://app.any.run/tasks/2de1435d-663f-4248-bd51-c9dc9da6f71d |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | February 21, 2020, 16:18:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.4 |
MD5: | C73022492EEE329BE73E111D77F2A684 |
SHA1: | 523364B27A7EE1FBFB532ED0497F2065A6B8072A |
SHA256: | 9879E2D3E88E7438236E325035B28AE5D7EB01C33FB4E8E7B2D0BFD82CF39203 |
SSDEEP: | 192:pcbkJA6HCW90Yeckpc3rPYU/h0iSq0Pfo1G39cGLOgFPHTf9ZIKC:qb43CWoK3rR/VSq0no5GBFPQF |
.7z | | | 7-Zip compressed archive (v0.4) (57.1) |
---|---|---|
.7z | | | 7-Zip compressed archive (gen) (42.8) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3492 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Product Specication.7z" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2636 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
620 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
3840 | "C:\Users\admin\AppData\Roaming\name.exe" | C:\Users\admin\AppData\Roaming\name.exe | — | EQNEDT32.EXE |
User: admin Integrity Level: MEDIUM | ||||
3536 | "C:\Users\admin\AppData\Roaming\name.exe" | C:\Users\admin\AppData\Roaming\name.exe | name.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3424 | "C:\Users\admin\AppData\Roaming\name.exe" | C:\Users\admin\AppData\Roaming\name.exe | name.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3952 | "C:\Users\admin\AppData\Roaming\name.exe" | C:\Users\admin\AppData\Roaming\name.exe | name.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3588 | "C:\Users\admin\AppData\Roaming\name.exe" | C:\Users\admin\AppData\Roaming\name.exe | — | name.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2652 | "C:\Users\admin\AppData\Roaming\name.exe" | C:\Users\admin\AppData\Roaming\name.exe | — | name.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
548 | "C:\Users\admin\AppData\Roaming\name.exe" | C:\Users\admin\AppData\Roaming\name.exe | name.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3492 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb3492.40899\Product Specication.xlsx | — | |
MD5:— | SHA256:— | |||
2636 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRABE8.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2636 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\Product Specication.xlsx.LNK | — | |
MD5:— | SHA256:— | |||
2636 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:04D116304E6D91673A1B1F0C7066D2D3 | SHA256:336889845E156D748A48D6618214B027E6819F657A428D2A306E604AAF928990 | |||
620 | EQNEDT32.EXE | C:\Users\admin\AppData\Roaming\name.exe | executable | |
MD5:6C7A0902597EC60D68EB210643A5B6D8 | SHA256:2B54318448A0DF8E939EC364B73D63D2A9E72E62FCC2D4E48B70EBC9D38726B4 | |||
620 | EQNEDT32.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\bui[1].exe | executable | |
MD5:6C7A0902597EC60D68EB210643A5B6D8 | SHA256:2B54318448A0DF8E939EC364B73D63D2A9E72E62FCC2D4E48B70EBC9D38726B4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3424 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
2064 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
1412 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
548 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
2840 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
2536 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
1860 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
2840 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
3952 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
2480 | name.exe | POST | — | 217.160.59.64:80 | http://217.160.59.64/index.php | DE | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3424 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
3536 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
620 | EQNEDT32.EXE | 208.115.234.234:80 | yogeshcycles.com | Limestone Networks, Inc. | US | malicious |
548 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
2536 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
2064 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
3952 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
2480 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
1860 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
2840 | name.exe | 217.160.59.64:80 | — | 1&1 Internet SE | DE | malicious |
Domain | IP | Reputation |
---|---|---|
yogeshcycles.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
620 | EQNEDT32.EXE | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
620 | EQNEDT32.EXE | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3536 | name.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
3536 | name.exe | A Network Trojan was detected | ET TROJAN Win32/AZORult V3.2 Client Checkin M3 |
3536 | name.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
3536 | name.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult |
3536 | name.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
3536 | name.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
3536 | name.exe | A Network Trojan was detected | ET TROJAN Win32/AZORult V3.2 Client Checkin M3 |
3536 | name.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |