URL: | http://bit.ly/2GvLhs1 |
Full analysis: | https://app.any.run/tasks/ccd21646-063a-4b96-af64-2a7042dfe8a9 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | April 24, 2019, 05:15:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 306EAD25257A39EA23B7F0B1DCE92BEF |
SHA1: | 1722F004637CDDC46154AB5D717B00854E9A08B2 |
SHA256: | A1C5EF039AEB6A925E62111069B28764E6CF0B9293E8244674DA36CAC5C7AC72 |
SSDEEP: | 3:N1KcQ9TiTqU:CcYHU |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2580 | "C:\Program Files\Opera\opera.exe" http://bit.ly/2GvLhs1 | C:\Program Files\Opera\opera.exe | explorer.exe | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 Modules
| |||||||||||||||
3360 | "C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\cash.xxx" | C:\Program Files\Notepad++\notepad++.exe | explorer.exe | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: Notepad++ : a free (GNU) source code editor Exit code: 0 Version: 7.51 Modules
| |||||||||||||||
2184 | "C:\Program Files\Notepad++\updater\gup.exe" -v7.51 | C:\Program Files\Notepad++\updater\gup.exe | notepad++.exe | ||||||||||||
User: admin Company: Don HO [email protected] Integrity Level: MEDIUM Description: GUP : a free (LGPL) Generic Updater Exit code: 0 Version: 4.1 Modules
| |||||||||||||||
2612 | "C:\Users\admin\Desktop\cash.xxx.exe" | C:\Users\admin\Desktop\cash.xxx.exe | — | explorer.exe | |||||||||||
User: admin Company: kaiak3 Integrity Level: MEDIUM Description: Unguis Exit code: 0 Version: 1.02.0004 Modules
| |||||||||||||||
3276 | C:\Users\admin\Desktop\cash.xxx.exe" | C:\Users\admin\Desktop\cash.xxx.exe | cash.xxx.exe | ||||||||||||
User: admin Company: kaiak3 Integrity Level: MEDIUM Description: Unguis Exit code: 0 Version: 1.02.0004 Modules
| |||||||||||||||
3320 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "cash.xxx.exe" | C:\Windows\system32\cmd.exe | — | cash.xxx.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3060 | C:\Windows\system32\timeout.exe 3 | C:\Windows\system32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2580) opera.exe | Key: | HKEY_CURRENT_USER\Software\Opera Software |
Operation: | write | Name: | Last CommandLine v2 |
Value: C:\Program Files\Opera\opera.exe http://bit.ly/2GvLhs1 | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU |
Operation: | write | Name: | MRUListEx |
Value: FFFFFFFF | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 0200000000000000010000000700000006000000030000000500000004000000FFFFFFFF | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_FolderType |
Value: {FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9} | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_TopViewID |
Value: {82BA0782-5B7A-4569-B5D7-EC83085F08CC} | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg |
Operation: | write | Name: | TV_TopViewVersion |
Value: 0 | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | Mode |
Value: 4 | |||
(PID) Process: | (2580) opera.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC} |
Operation: | write | Name: | LogicalViewMode |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr7115.tmp | — | |
MD5:— | SHA256:— | |||
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr7125.tmp | — | |
MD5:— | SHA256:— | |||
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr7194.tmp | — | |
MD5:— | SHA256:— | |||
2580 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp | — | |
MD5:— | SHA256:— | |||
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U6QV5V1BSOJWD406GK26.temp | — | |
MD5:— | SHA256:— | |||
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr8452.tmp | — | |
MD5:— | SHA256:— | |||
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat | binary | |
MD5:81F0F124C7CFE82A708B02703FCF9BCD | SHA256:9D0F100271DED5578C70FA9FA4974ABA07C27405DFF5E7A0AE16198836DD41B2 | |||
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:491E1F5F6B72B8B8AC5D74EBCC6F4F8F | SHA256:E524BB026D6312E02928A327B25DB2880BE45589279D25C1182119D33819F9AA | |||
2580 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:9AAE50C0C86855DB8CA4578CA6AA3CD8 | SHA256:22F0265B3EDB74940B2D041579CFEF09A667DEE0EC62514998D5925D363870BF | |||
2580 | opera.exe | C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00002.tmp | executable | |
MD5:652155F866D10E51A76A4F3E1810AD21 | SHA256:095073E50501BAD8FD8CF2462443047C8B07F82E30C6DB3242F59837A870C4C4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2580 | opera.exe | GET | 301 | 2.19.46.132:80 | http://www.amazon.com/exec/obidos/redirect-home/opera-20 | unknown | — | — | whitelisted |
2580 | opera.exe | GET | 301 | 2.19.46.132:80 | http://www.amazon.com/exec/obidos/redirect-home/opera-20 | unknown | — | — | whitelisted |
2580 | opera.exe | GET | — | 185.26.182.110:80 | http://redir.opera.com/speeddials/shopping/de | unknown | — | — | whitelisted |
2580 | opera.exe | GET | 302 | 185.26.182.110:80 | http://redir.opera.com/speeddials/previews/shopping/de | unknown | html | 315 b | whitelisted |
2580 | opera.exe | GET | 200 | 192.35.177.64:80 | http://crl.identrust.com/DSTROOTCAX3CRL.crl | US | der | 896 b | whitelisted |
2580 | opera.exe | GET | 301 | 67.199.248.10:80 | http://bit.ly/2GvLhs1 | US | html | 123 b | shared |
2580 | opera.exe | GET | 302 | 185.26.182.110:80 | http://redir.opera.com/speeddials/amazon/ | unknown | html | 319 b | whitelisted |
2580 | opera.exe | GET | 200 | 66.225.197.197:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 543 b | whitelisted |
2580 | opera.exe | GET | 302 | 185.26.182.110:80 | http://redir.opera.com/speeddials/booking.com | unknown | html | 221 b | whitelisted |
— | — | GET | 200 | 195.138.255.24:80 | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D | DE | der | 1.37 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2580 | opera.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2580 | opera.exe | 67.199.248.10:80 | bit.ly | Bitly Inc | US | shared |
2580 | opera.exe | 82.145.215.40:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2580 | opera.exe | 192.35.177.64:80 | crl.identrust.com | IdenTrust | US | malicious |
2184 | gup.exe | 37.59.28.236:443 | notepad-plus-plus.org | OVH SAS | FR | whitelisted |
2580 | opera.exe | 195.138.255.24:80 | ocsp.int-x3.letsencrypt.org | AS33891 Netzbetrieb GmbH | DE | whitelisted |
2580 | opera.exe | 66.225.197.197:80 | crl4.digicert.com | CacheNetworks, Inc. | US | whitelisted |
— | — | 195.138.255.24:80 | ocsp.int-x3.letsencrypt.org | AS33891 Netzbetrieb GmbH | DE | whitelisted |
2580 | opera.exe | 165.227.73.185:443 | www.beautymakeup.ca | Digital Ocean, Inc. | US | suspicious |
2580 | opera.exe | 185.26.182.94:80 | sitecheck2.opera.com | Opera Software AS | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
sitecheck2.opera.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.beautymakeup.ca |
| malicious |
crl.identrust.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
notepad-plus-plus.org |
| whitelisted |
isrg.trustid.ocsp.identrust.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3276 | cash.xxx.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
3276 | cash.xxx.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Request |
3276 | cash.xxx.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult Response |
3276 | cash.xxx.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
3276 | cash.xxx.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |
Process | Message |
---|---|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | VerifyLibrary: certificate revocation checking is disabled
|
notepad++.exe | 42C4C5846BB675C74E2B2C90C69AB44366401093
|