analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a2eac99addf30170e0cf67d4a5431b3ae7777a8f745c378c48b2f221f780eb0f

Full analysis: https://app.any.run/tasks/d4b8b54e-451a-493b-9714-eb0e2f71c7bb
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: February 19, 2019, 08:48:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
exploit
CVE-2017-11882
loader
trojan
rat
azorult
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

ED8AC5BAB132CFD041690334C8BFED8E

SHA1:

B5294A6AC9AB64FB95FEEE885F9B7893A4377D25

SHA256:

A2EAC99ADDF30170E0CF67D4A5431B3AE7777A8F745C378C48B2F221F780EB0F

SSDEEP:

192:P6WmTEW5zzCzmZ21nRsOgTdVZJhpnchPdS4xq4o+XI/v:S7Tf5KzZD3gTdVZnpi5qp5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TJClgGxXvpXdsjPB.exe (PID: 4052)
      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 2600)
      • MDEServer.exe (PID: 1164)

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3132)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3132)

    • Uses Task Scheduler to run other applications

      • TJClgGxXvpXdsjPB.exe (PID: 4052)
      • MDEServer.exe (PID: 2600)

    • Downloads executable files from IP

      • EQNEDT32.EXE (PID: 3132)

    • Downloads executable files from the Internet

      • EQNEDT32.EXE (PID: 3132)

    • Connects to CnC server

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2768)
      • schtasks.exe (PID: 3020)

    • AZORULT was detected

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

    • Actions looks like stealing of personal data

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

    • Loads dropped or rewritten executable

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3132)
      • TJClgGxXvpXdsjPB.exe (PID: 4052)
      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

    • Application launched itself

      • TJClgGxXvpXdsjPB.exe (PID: 4052)
      • MDEServer.exe (PID: 2600)

    • Creates files in the user directory

      • TJClgGxXvpXdsjPB.exe (PID: 4052)

    • Connects to server without host name

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

    • Reads the cookies of Google Chrome

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

    • Reads the cookies of Mozilla Firefox

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

    • Starts CMD.EXE for commands execution

      • TJClgGxXvpXdsjPB.exe (PID: 3564)
      • MDEServer.exe (PID: 1164)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2796)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe tjclggxxvpxdsjpb.exe #AZORULT tjclggxxvpxdsjpb.exe schtasks.exe no specs cmd.exe no specs timeout.exe no specs mdeserver.exe no specs #AZORULT mdeserver.exe schtasks.exe no specs cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2796"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\a2eac99addf30170e0cf67d4a5431b3ae7777a8f745c378c48b2f221f780eb0f.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3132"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
4052"C:\Users\admin\AppData\Local\TJClgGxXvpXdsjPB.exe"C:\Users\admin\AppData\Local\TJClgGxXvpXdsjPB.exe
EQNEDT32.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3564"C:\Users\admin\AppData\Local\TJClgGxXvpXdsjPB.exe"C:\Users\admin\AppData\Local\TJClgGxXvpXdsjPB.exe
TJClgGxXvpXdsjPB.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2768"C:\Windows\System32\schtasks.exe" /create /tn eudcedit /tr "C:\Users\admin\AppData\Roaming\sihost\MDEServer.exe" /sc minute /mo 1 /FC:\Windows\System32\schtasks.exeTJClgGxXvpXdsjPB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2892"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "TJClgGxXvpXdsjPB.exe"C:\Windows\system32\cmd.exeTJClgGxXvpXdsjPB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3760C:\Windows\system32\timeout.exe 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2600C:\Users\admin\AppData\Roaming\sihost\MDEServer.exe C:\Users\admin\AppData\Roaming\sihost\MDEServer.exetaskeng.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1164"C:\Users\admin\AppData\Roaming\sihost\MDEServer.exe"C:\Users\admin\AppData\Roaming\sihost\MDEServer.exe
MDEServer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3020"C:\Windows\System32\schtasks.exe" /create /tn eudcedit /tr "C:\Users\admin\AppData\Roaming\sihost\MDEServer.exe" /sc minute /mo 1 /FC:\Windows\System32\schtasks.exeMDEServer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 991
Read events
1 618
Write events
0
Delete events
0

Modification events

No data
Executable files
98
Suspicious files
0
Text files
0
Unknown types
4

Dropped files

PID
Process
Filename
Type
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR88BE.tmp.cvr
MD5:
SHA256:
3564TJClgGxXvpXdsjPB.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:CB978304B79EF53962408C611DFB20F5
SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
3132EQNEDT32.EXEC:\Users\admin\AppData\Local\TJClgGxXvpXdsjPB.exeexecutable
MD5:61C119409197B9ED61F51ECDFEB57F1A
SHA256:37C89343834A77200FF1C5DC50545F7B43F9F5264CA7E54AEEA2739231912E19
4052TJClgGxXvpXdsjPB.exeC:\Users\admin\eudcedit.lnklnk
MD5:572CDE09F722D31BA79E52C0C2B80B30
SHA256:E841FDB967A74BB37E412B866D944BFBDC0C15C0C1C311ACEF0A54F1E1408BDC
2796WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$eac99addf30170e0cf67d4a5431b3ae7777a8f745c378c48b2f221f780eb0f.rtfpgc
MD5:ACA001ECA46354F7089BB6FB4F581B7E
SHA256:A2F2BEFD68D16EE3383250D843491F431B29FB0E8999ABE3BA7D388EE3447C0D
4052TJClgGxXvpXdsjPB.exeC:\Users\admin\AppData\Roaming\sihost\MDEServer.exeexecutable
MD5:ADDCDC0E3CC1966C34332BC0BBC312A0
SHA256:B022B9FC415041640497A51B38FC2B5828A743F338E6EE7EF699D7D7BFF87211
2796WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:4D69D9BCBFC324E700A5A4D9E4D60348
SHA256:B0222DC047C29341F9E3DBAF99CE9E18787FBE50A3485DADF3E273D21B6B2E9C
3564TJClgGxXvpXdsjPB.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dllexecutable
MD5:94AE25C7A5497CA0BE6882A00644CA64
SHA256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
3564TJClgGxXvpXdsjPB.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:2EA3901D7B50BF6071EC8732371B821C
SHA256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
3564TJClgGxXvpXdsjPB.exeC:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:6D778E83F74A4C7FE4C077DC279F6867
SHA256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3132
EQNEDT32.EXE
GET
200
185.195.236.168:80
http://185.195.236.168/NjwjkNwdsvDgZwnRPjfhqHGkfbJDBhFfBwXzFbjFMP/Cashbag_Protected.exe
AT
executable
1.11 Mb
malicious
1164
MDEServer.exe
POST
200
185.195.236.178:80
http://185.195.236.178/cashbag/index.php
AT
txt
4.27 Mb
malicious
3564
TJClgGxXvpXdsjPB.exe
POST
200
185.195.236.178:80
http://185.195.236.178/cashbag/index.php
AT
text
5 b
malicious
3564
TJClgGxXvpXdsjPB.exe
POST
200
185.195.236.178:80
http://185.195.236.178/cashbag/index.php
AT
txt
4.27 Mb
malicious
1164
MDEServer.exe
POST
200
185.195.236.178:80
http://185.195.236.178/cashbag/index.php
AT
text
5 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3132
EQNEDT32.EXE
185.195.236.168:80
Cristi Scumpu
AT
malicious
3564
TJClgGxXvpXdsjPB.exe
185.195.236.178:80
Cristi Scumpu
AT
malicious
1164
MDEServer.exe
185.195.236.178:80
Cristi Scumpu
AT
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
3132
EQNEDT32.EXE
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3132
EQNEDT32.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3132
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3132
EQNEDT32.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3564
TJClgGxXvpXdsjPB.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
3564
TJClgGxXvpXdsjPB.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3564
TJClgGxXvpXdsjPB.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult HTTP Header
3564
TJClgGxXvpXdsjPB.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
3564
TJClgGxXvpXdsjPB.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
3564
TJClgGxXvpXdsjPB.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a2eac99addf30170e0cf67d4a5431b3ae7777a8f745c378c48b2f221f780eb0f