File name: | 945cf03162b3d44295ecee45828c96e4a7fac007.xls |
Full analysis: | https://app.any.run/tasks/cfb5b818-b516-491e-846f-be5539160818 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | September 30, 2020, 09:34:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.ms-excel |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: DELL, Last Saved By: DELL, Create Time/Date: Wed Sep 30 00:04:07 2020, Last Saved Time/Date: Wed Sep 30 00:04:07 2020, Security: 0 |
MD5: | 9C69A9C4C6C64FA5F438D68F610D6C4B |
SHA1: | 945CF03162B3D44295ECEE45828C96E4A7FAC007 |
SHA256: | B776729640FC580C8CCBDE856ECD6FCFE6CBAC308753F01DBDC3E29F1871E2DE |
SSDEEP: | 6144:ck3hOdsylKlgryzc4bNhZF+E+W2knwyNyMd4B7t0K8JSHIe6cJBDZKcHpH9szWEo:9yMd4ltuJqbDZKcJdszkSwkT62q5n |
.xls | | | Microsoft Excel sheet (48) |
---|---|---|
.xls | | | Microsoft Excel sheet (alternate) (39.2) |
CompObjUserType: | Microsoft Excel 2003 Worksheet |
---|---|
CompObjUserTypeLen: | 31 |
HeadingPairs: |
|
TitleOfParts: | Sheet 1 |
HyperlinksChanged: | No |
SharedDoc: | No |
LinksUpToDate: | No |
ScaleCrop: | No |
AppVersion: | 15 |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2020:09:29 23:04:07 |
CreateDate: | 2020:09:29 23:04:07 |
LastModifiedBy: | DELL |
Author: | DELL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3648 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
2152 | "C:\Users\Public\svchost32.exe" | C:\Users\Public\svchost32.exe | EXCEL.EXE | |
User: admin Company: z&82b[m@16y+]5q7g_,9 Integrity Level: MEDIUM Description: 6o~d{4?8i1z@p%37a;h Exit code: 0 Version: 9.13.18.22 | ||||
572 | "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nore /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\dmgy.exe" | C:\Windows\system32\cmd.exe | — | svchost32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3144 | REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v nore /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\admin\dmgy.exe" | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1148 | "C:\Users\admin\dmgy.exe" | C:\Users\admin\dmgy.exe | — | svchost32.exe |
User: admin Company: z&82b[m@16y+]5q7g_,9 Integrity Level: MEDIUM Description: 6o~d{4?8i1z@p%37a;h Exit code: 0 Version: 9.13.18.22 | ||||
2572 | "C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe" | C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe | dmgy.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: AddInProcess.exe Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3648 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRA7BA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3648 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat | text | |
MD5:708F5EB46C65A78EC4C63AA444A58968 | SHA256:2AADECEA121EE8F033F6411993280404FE671DEE51BA57A1A2EFF3EDD8D61A36 | |||
3648 | EXCEL.EXE | C:\Users\Public\svchost32.exe | executable | |
MD5:9B938B83151DF9B6AAEA33181BF996AE | SHA256:911304A44C09DDD14B8F1AC4D21777B3B3BCD3B7D69D85A4B60D28983EBD0FC5 | |||
2152 | svchost32.exe | C:\Users\admin\dmgy.exe | executable | |
MD5:9B938B83151DF9B6AAEA33181BF996AE | SHA256:911304A44C09DDD14B8F1AC4D21777B3B3BCD3B7D69D85A4B60D28983EBD0FC5 | |||
3648 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\BDO-1218[1].jpg | executable | |
MD5:9B938B83151DF9B6AAEA33181BF996AE | SHA256:911304A44C09DDD14B8F1AC4D21777B3B3BCD3B7D69D85A4B60D28983EBD0FC5 | |||
3648 | EXCEL.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\945cf03162b3d44295ecee45828c96e4a7fac007.xls.LNK | lnk | |
MD5:473EF6F3D8C9BBF2D3CAD16E8CE321C3 | SHA256:BCD4735A7D11EF98DC48C6510817302048A3621DFC2B4605380079F006E28FAA | |||
2152 | svchost32.exe | C:\Users\admin\AppData\Local\Temp\AddInProcess32.exe | executable | |
MD5:6A673BFC3B67AE9782CB31AF2F234C68 | SHA256:978A4093058AA2EBF05DC353897D90D950324389879B57741B64160825B5EC0E | |||
2152 | svchost32.exe | C:\Users\admin\AppData\Local\Temp\a6a0b8a6-4761-4357-9a31-0eca6ad70093\f.dll | executable | |
MD5:14FF402962AD21B78AE0B4C43CD1F194 | SHA256:FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3648 | EXCEL.EXE | GET | 200 | 185.33.85.52:80 | http://185.33.85.52/FR/BDO-1218.jpg | GB | executable | 299 Kb | malicious |
2572 | AddInProcess32.exe | POST | 200 | 198.50.160.198:80 | http://books.myscriptcase.com/index.php | CA | text | 7 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3648 | EXCEL.EXE | 185.33.85.52:80 | — | — | GB | malicious |
2572 | AddInProcess32.exe | 198.50.160.198:80 | books.myscriptcase.com | OVH SAS | CA | malicious |
Domain | IP | Reputation |
---|---|---|
books.myscriptcase.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2572 | AddInProcess32.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2572 | AddInProcess32.exe | A Network Trojan was detected | ET TROJAN Win32/AZORult V3.2 Client Checkin M3 |
2572 | AddInProcess32.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
2572 | AddInProcess32.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
2572 | AddInProcess32.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult |
2572 | AddInProcess32.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult v.3 |