File name: | Attachement_21000002136572540682154387540346723.img |
Full analysis: | https://app.any.run/tasks/11af5161-0968-4596-be21-f8c2fe18f992 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | July 18, 2019, 01:03:26 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-iso9660-image |
File info: | UDF filesystem data (version 1.5) 'DESKTOP' |
MD5: | 71A0D311DA42DBF96308658924AE3533 |
SHA1: | 98C3EA72B6187400B04376D57E46754C74307006 |
SHA256: | A8067B03EC32DC5F5A21CB6DB6CB8BEBA43AA0E3FB7070D5EADD75599EF37856 |
SSDEEP: | 6144:4ThuF1UxvtV/Z3bmzW6CBOruTBVKQB3CzGMuU6c8bsU5DQwhEgPbbBt+JsZBx30T:WJbmzW6CIr2DV3CqW6eCkXYbXcsZnE |
.atn | | | Photoshop Action (37.5) |
---|---|---|
.gmc | | | Game Music Creator Music (8.4) |
.abr | | | Adobe PhotoShop Brush (7.5) |
VolumeSize: | 1198 kB |
---|
VolumeModifyDate: | 2019:07:17 15:26:18.00+01:00 |
---|---|
VolumeCreateDate: | 2019:07:17 15:26:18.00+01:00 |
Software: | IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER! |
VolumeSetName: | UNDEFINED |
RootDirectoryCreateDate: | 2019:07:17 15:26:18+01:00 |
VolumeBlockSize: | 2048 |
VolumeBlockCount: | 599 |
VolumeName: | DESKTOP |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3684 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Attachement_21000002136572540682154387540346723.img | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3956 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Attachement_21000002136572540682154387540346723.img" | C:\Program Files\WinRAR\WinRAR.exe | rundll32.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2360 | "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe" | C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe | — | explorer.exe |
User: admin Company: ohuzigolaxehaciniguxij Integrity Level: MEDIUM Description: asocoyax Exit code: 0 Version: 1.1.1.2 | ||||
3108 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | Attachement_21000002136572540682154387540346723.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2256 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | Attachement_21000002136572540682154387540346723.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2776 | "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe" | C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe | explorer.exe | |
User: admin Company: ohuzigolaxehaciniguxij Integrity Level: HIGH Description: asocoyax Exit code: 0 Version: 1.1.1.2 | ||||
2032 | "C:\Windows\System32\cmd.exe" /c copy "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe" "C:\Users\admin\AppData\Roaming\asfasddsfasf.exe" | C:\Windows\System32\cmd.exe | Attachement_21000002136572540682154387540346723.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3404 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | Attachement_21000002136572540682154387540346723.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2416 | "C:\Windows\System32\cmd.exe" /C type nul > "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe:Zone.Identifier" | C:\Windows\System32\cmd.exe | — | Attachement_21000002136572540682154387540346723.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3216 | "C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe" | C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe | — | explorer.exe |
User: admin Company: ohuzigolaxehaciniguxij Integrity Level: MEDIUM Description: asocoyax Exit code: 0 Version: 1.1.1.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3956 | WinRAR.exe | C:\Users\admin\Desktop\Attachement_21000002136572540682154387540346723.exe | executable | |
MD5:84A9E3F3782F6C6E8A8D53EA4822BCE7 | SHA256:38A689E3CFE024CF53D07E3F6830DA32C836C4C06C96478FDA9A36E22D540A9C | |||
2032 | cmd.exe | C:\Users\admin\AppData\Roaming\asfasddsfasf.exe | executable | |
MD5:84A9E3F3782F6C6E8A8D53EA4822BCE7 | SHA256:38A689E3CFE024CF53D07E3F6830DA32C836C4C06C96478FDA9A36E22D540A9C | |||
2576 | asfasddsfasf.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:E2F648AE40D234A3892E1455B4DBBE05 | SHA256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03 | |||
1664 | cmd.exe | C:\Users\admin\AppData\Roaming\asfasddsfasf.exe | executable | |
MD5:84A9E3F3782F6C6E8A8D53EA4822BCE7 | SHA256:38A689E3CFE024CF53D07E3F6830DA32C836C4C06C96478FDA9A36E22D540A9C | |||
2576 | asfasddsfasf.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 | |||
2576 | asfasddsfasf.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:6DB54065B33861967B491DD1C8FD8595 | SHA256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5 | |||
2576 | asfasddsfasf.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll | executable | |
MD5:D0289835D97D103BAD0DD7B9637538A1 | SHA256:91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A | |||
2576 | asfasddsfasf.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll | executable | |
MD5:2EA3901D7B50BF6071EC8732371B821C | SHA256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A | |||
2576 | asfasddsfasf.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll | executable | |
MD5:D0873E21721D04E20B6FFB038ACCF2F1 | SHA256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE | |||
2576 | asfasddsfasf.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll | executable | |
MD5:D500D9E24F33933956DF0E26F087FD91 | SHA256:BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4076 | asfasddsfasf.exe | POST | 200 | 202.52.147.109:80 | http://lawantumorotak.com/img/index.php | ID | binary | 4.27 Mb | malicious |
2576 | asfasddsfasf.exe | POST | 200 | 202.52.147.109:80 | http://lawantumorotak.com/img/index.php | ID | binary | 4.27 Mb | malicious |
4076 | asfasddsfasf.exe | POST | 200 | 202.52.147.109:80 | http://lawantumorotak.com/img/index.php | ID | text | 2 b | malicious |
2576 | asfasddsfasf.exe | POST | 200 | 202.52.147.109:80 | http://lawantumorotak.com/img/index.php | ID | text | 2 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4076 | asfasddsfasf.exe | 202.52.147.109:80 | lawantumorotak.com | Global Media Teknologi, PT | ID | suspicious |
2576 | asfasddsfasf.exe | 202.52.147.109:80 | lawantumorotak.com | Global Media Teknologi, PT | ID | suspicious |
Domain | IP | Reputation |
---|---|---|
lawantumorotak.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2576 | asfasddsfasf.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2576 | asfasddsfasf.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
2576 | asfasddsfasf.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
2576 | asfasddsfasf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2576 | asfasddsfasf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2576 | asfasddsfasf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult encrypted PE file |
4076 | asfasddsfasf.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
4076 | asfasddsfasf.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
4076 | asfasddsfasf.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
4076 | asfasddsfasf.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |