File name: | Payments.rtf |
Full analysis: | https://app.any.run/tasks/987f2214-577d-4416-95fb-ea7c1cec7ea3 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | April 15, 2019, 09:36:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, unknown version |
MD5: | 687E6860F3512060DCE67BBE92E8D213 |
SHA1: | 8B21BF6BD8F48A91E0445BE02666C9CB2110A7B1 |
SHA256: | AB15B95275561F7462BBE6FC9926DBF2E5E049EB40BE62E5EA51889708F7FCF7 |
SSDEEP: | 24576:ne+wxme+wxme+wxzo9huHVo9cVe+wxme+wxme+wxzo9huHVo9cg:u |
.rtf | | | Rich Text Format (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3040 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Payments.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2108 | "C:\Users\admin\AppData\Roaming\payments.exe" | C:\Users\admin\AppData\Roaming\payments.exe | — | WINWORD.EXE |
User: admin Company: AxInstSv Integrity Level: MEDIUM Description: aitstatic Exit code: 0 Version: 269.40.279.184 | ||||
1664 | "C:\Users\admin\AppData\Roaming\payments.exe" | C:\Users\admin\AppData\Roaming\payments.exe | payments.exe | |
User: admin Company: AxInstSv Integrity Level: MEDIUM Description: aitstatic Exit code: 0 Version: 269.40.279.184 | ||||
3500 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "payments.exe" | C:\Windows\system32\cmd.exe | — | payments.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3564 | C:\Windows\system32\timeout.exe 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR6832.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7ACA2312.png | — | |
MD5:— | SHA256:— | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32FEF3EB.png | — | |
MD5:— | SHA256:— | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\Abctfhghghghghg.sct | binary | |
MD5:F92213E4261EDEC5B9620EC5F5F41D73 | SHA256:D2F8FE3C0DA973F14D7D60BA7C07106DC63374CCA005786DDD5F62C8CABAC6A0 | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\ley2-bin_Protected[1].exe | executable | |
MD5:23CC62774BA135511D52DECC03546CBF | SHA256:007D3DCD431618F92C5D56F882EFA7662D5F7C3D75892741E756CEAFE07E1CF0 | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\payments.exe | executable | |
MD5:23CC62774BA135511D52DECC03546CBF | SHA256:007D3DCD431618F92C5D56F882EFA7662D5F7C3D75892741E756CEAFE07E1CF0 | |||
1664 | payments.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:502263C56F931DF8440D7FD2FA7B7C00 | SHA256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231 | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:65A14A601AF6597AC6E48922957494B4 | SHA256:0E8EE7C820D5510C7AAE1F3C795EAB1CEB347B99887978BB86C8F4DE742165CB | |||
3040 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$yments.rtf | pgc | |
MD5:A297C84373BD4D796E085DBDA3E6CC76 | SHA256:129D68DCD2A08E8B5312F03FA96825406CFAF25878FF01E99E74D4B888111CA6 | |||
1664 | payments.exe | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E479444BDD4AE4577FD32314A68F5D28 | SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1664 | payments.exe | POST | 200 | 51.77.76.179:80 | http://lestonline.gq/400/index.php | GB | text | 2 b | malicious |
1664 | payments.exe | POST | 200 | 51.77.76.179:80 | http://lestonline.gq/400/index.php | GB | binary | 4.27 Mb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1664 | payments.exe | 51.77.76.179:80 | lestonline.gq | — | GB | malicious |
3040 | WINWORD.EXE | 23.226.129.107:443 | wareen.com | QuadraNet, Inc | US | malicious |
Domain | IP | Reputation |
---|---|---|
wareen.com |
| malicious |
lestonline.gq |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .gq Domain |
1664 | payments.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
1664 | payments.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
1664 | payments.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
1664 | payments.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.gq domain |
1664 | payments.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
1664 | payments.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
1664 | payments.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.gq domain |
1664 | payments.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |