analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

sample1.doc

Full analysis: https://app.any.run/tasks/fd9a76fa-39b9-406a-89b7-6c353a79ac74
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: July 17, 2019, 07:01:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
opendir
trojan
rat
azorult
maldoc-8
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Template: Normal.dotm, Last Saved By: Livingstone Ozueh, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 01:00, Create Time/Date: Wed Jul 17 06:16:00 2019, Last Saved Time/Date: Wed Jul 17 05:24:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

3DA330FF7B9B2BEE81545D5D36EDD64E

SHA1:

26287295F86C5E32C6A8930B435A432111C36BE5

SHA256:

98B3D4EE0FBDFB136462BB2F1E200368A5BB05C524E353A42EA9700EAEC44928

SSDEEP:

3072:owOvSodDs0IG/yUPVhi1bfnYbOeYZhm/GzjviJDg:biyEqGeR66

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 3848)
    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 3848)
    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3848)
    • Application was dropped or rewritten from another process

      • karo.exe (PID: 3940)
      • karo.exe (PID: 3888)
    • Connects to CnC server

      • karo.exe (PID: 3940)
    • AZORULT was detected

      • karo.exe (PID: 3940)
    • Loads dropped or rewritten executable

      • karo.exe (PID: 3940)
    • Actions looks like stealing of personal data

      • karo.exe (PID: 3940)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3848)
    • Creates files in the user directory

      • karo.exe (PID: 3940)
    • Application launched itself

      • karo.exe (PID: 3888)
    • Executable content was dropped or overwritten

      • karo.exe (PID: 3940)
    • Reads the cookies of Mozilla Firefox

      • karo.exe (PID: 3940)
    • Starts CMD.EXE for commands execution

      • karo.exe (PID: 3940)
    • Reads the cookies of Google Chrome

      • karo.exe (PID: 3940)
    • Starts CMD.EXE for self-deleting

      • karo.exe (PID: 3940)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3848)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 3848)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: -
Subject: -
Author: -
Keywords: -
Comments: -
Template: Normal.dotm
LastModifiedBy: Livingstone Ozueh
RevisionNumber: 2
Software: Microsoft Office Word
TotalEditTime: 1.0 minutes
CreateDate: 2019:07:17 05:16:00
ModifyDate: 2019:07:17 04:24:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Latin 1 (Western European)
Company: -
Bytes: 11000
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 15
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts: -
HeadingPairs:
  • Title
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start winword.exe karo.exe no specs #AZORULT karo.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3848"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\sample1.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3888"C:\Users\admin\AppData\Local\Temp\karo.exe" C:\Users\admin\AppData\Local\Temp\karo.exeWINWORD.EXE
User:
admin
Company:
daman4
Integrity Level:
MEDIUM
Description:
CUREPIPE2
Exit code:
0
Version:
1.02.0004
3940C:\Users\admin\AppData\Local\Temp\karo.exe" C:\Users\admin\AppData\Local\Temp\karo.exe
karo.exe
User:
admin
Company:
daman4
Integrity Level:
MEDIUM
Description:
CUREPIPE2
Exit code:
0
Version:
1.02.0004
3872"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "karo.exe"C:\Windows\system32\cmd.exekaro.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
692C:\Windows\system32\timeout.exe 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 158
Read events
799
Write events
0
Delete events
0

Modification events

No data
Executable files
50
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
3848WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF899.tmp.cvr
MD5:
SHA256:
3848WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:2C39A189637295DD923019C1183D4B0D
SHA256:8C646733D9EAE60486E0A22F4893A17C0AE06C280488BCE0A6A697F53A565338
3848WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@elkagroupe[1].txttext
MD5:264BD034F7272BF060A7FDD56C996E7A
SHA256:070846926FD84DD3E3B1A3EB93B5A15050F56F414842EF453A624A416A7AE122
3848WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\karo[1].exeexecutable
MD5:CF19C5506A2C85335DCC5723D9BD0222
SHA256:A553E41C6DDA3A2BA45BB0AD163AC4717D6DEA4F802F140C1D6D05CFB10E08C3
3848WINWORD.EXEC:\Users\admin\AppData\Local\Temp\karo.exeexecutable
MD5:CF19C5506A2C85335DCC5723D9BD0222
SHA256:A553E41C6DDA3A2BA45BB0AD163AC4717D6DEA4F802F140C1D6D05CFB10E08C3
3848WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$ample1.docpgc
MD5:CF705045DCF430E143BCE7CAD3E90D05
SHA256:2E282E9753E0FFEF1E64F90B77C5D18F09C24AED046D3591A30CB28760311B4D
3940karo.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:2EA3901D7B50BF6071EC8732371B821C
SHA256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
3940karo.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:6D778E83F74A4C7FE4C077DC279F6867
SHA256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
3940karo.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:CB978304B79EF53962408C611DFB20F5
SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
3940karo.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dllexecutable
MD5:88FF191FD8648099592ED28EE6C442A5
SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3848
WINWORD.EXE
GET
301
104.18.49.237:80
http://elkagroupe.com/wp/karo.exe
US
malicious
3940
karo.exe
POST
200
78.46.77.178:80
http://aviskarprl.co.in/cgi/index.php
DE
text
2 b
malicious
3940
karo.exe
POST
200
78.46.77.178:80
http://aviskarprl.co.in/cgi/index.php
DE
binary
4.27 Mb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3848
WINWORD.EXE
104.18.49.237:80
elkagroupe.com
Cloudflare Inc
US
shared
3848
WINWORD.EXE
104.18.49.237:443
elkagroupe.com
Cloudflare Inc
US
shared
3940
karo.exe
78.46.77.178:80
aviskarprl.co.in
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
elkagroupe.com
  • 104.18.49.237
  • 104.18.48.237
malicious
aviskarprl.co.in
  • 78.46.77.178
malicious

Threats

PID
Process
Class
Message
3940
karo.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
3940
karo.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
3940
karo.exe
A Network Trojan was detected
AV TROJAN AZORult CnC Beacon
3940
karo.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3940
karo.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
3940
karo.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult encrypted PE file
3940
karo.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
3940
karo.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
3940
karo.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3940
karo.exe
A Network Trojan was detected
ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
2 ETPRO signatures available at the full report
No debug info