analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO.doc

Full analysis: https://app.any.run/tasks/f8583b93-a9fa-411c-9ad1-205da313f65c
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: September 30, 2020, 09:14:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
rat
azorult
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

8A2325E7F1446F5204B2B838584DBE8A

SHA1:

D00A92AC5B488D28C5677651D94077AB2FBD370B

SHA256:

C5A2E16C54143D39709187E53EC5196587EB004D64F0D3AEFF35BC61F123279E

SSDEEP:

12288:GxvA3pjJx7BC0zqE5JB2Oo83D34CAlM+yhz0pfS4Xpl6kJIzau81m+l06jqf:Q43prBtbFD4BA0g4Xpl6kJIzV81Fmjf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • jkfnfjp.exe (PID: 2592)
      • jkfnfjp.exe (PID: 1912)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3252)
    • Changes settings of System certificates

      • jkfnfjp.exe (PID: 2592)
    • AZORULT was detected

      • jkfnfjp.exe (PID: 2592)
    • Connects to CnC server

      • jkfnfjp.exe (PID: 2592)
  • SUSPICIOUS

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3252)
      • jkfnfjp.exe (PID: 2592)
    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 3252)
      • jkfnfjp.exe (PID: 2592)
    • Executed via COM

      • EQNEDT32.EXE (PID: 3252)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3252)
    • Application launched itself

      • jkfnfjp.exe (PID: 1912)
    • Adds / modifies Windows certificates

      • jkfnfjp.exe (PID: 2592)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2536)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe jkfnfjp.exe no specs #AZORULT jkfnfjp.exe

Process information

PID
CMD
Path
Indicators
Parent process
2536"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\PO.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3252"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
1912C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exeEQNEDT32.EXE
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
2592C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exe
jkfnfjp.exe
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Total events
1 655
Read events
954
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
7
Text files
3
Unknown types
5

Dropped files

PID
Process
Filename
Type
2536WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAD48.tmp.cvr
MD5:
SHA256:
3252EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\CabB8C2.tmp
MD5:
SHA256:
3252EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\TarB8C3.tmp
MD5:
SHA256:
2592jkfnfjp.exeC:\Users\admin\AppData\Local\Temp\TarCD35.tmp
MD5:
SHA256:
2536WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:F7FF93D120650D518A07EBD88C9B2EBB
SHA256:32D4459D973B4EC4AE2EDD4C890A38A0AEC173B3C9D62466E499354FA43A08D3
3252EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_0450F37A94D5EA2CF49E48BAD46C6D66der
MD5:1EF92B54EFF33B92A88B285839CD4169
SHA256:CF7A8E6DCE822575304A4CCBFEB690DFB5CFFC80813E92D45D91E3942734367E
2592jkfnfjp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:2544B41D9692F1E94358BD56E4B081BE
SHA256:347C539DA6FD754170A5F9F843C0CAAFD968F1E99302D6EEE7E9D565CF4DB384
2592jkfnfjp.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203der
MD5:A2959A9251CDE41E2E2AF5E50230C435
SHA256:88ABA492F4950C7AE7B4E616FEA36C74AAFBBBC0803AE16D17DEFAFF412A6DB0
3252EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\MQW2FD0Y.txttext
MD5:B8C95B16923DDB23B072DA068F102A4F
SHA256:EC092ED217BEFB4FB38451F3C57F680A2D58F7BF7678EE8D686FAD8A5A2045D3
3252EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\linkzsee[1].exeexecutable
MD5:A8CD21CE72B150D171F528E561099C9A
SHA256:CE71CCAA67A6A21A110CC99DA99DA0E7595A392FE54CEAD5685DBF706E3C9D05
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
11
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3252
EQNEDT32.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAm3dP7Fjebz%2Fohu3pXPtrY%3D
US
der
278 b
whitelisted
3252
EQNEDT32.EXE
GET
301
104.18.43.26:80
http://readcivil.com/wp-content/plugins/xomert/linkzsee.exe
US
html
268 b
malicious
2592
jkfnfjp.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
2592
jkfnfjp.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1052
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA7yTSbUNi7CXXtef0luXqk%3D
US
der
279 b
whitelisted
2592
jkfnfjp.exe
POST
400
103.253.212.238:443
http://bprbalidananiaga.co.id:443/linkbaba/PL341/index.php
ID
html
483 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3252
EQNEDT32.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2592
jkfnfjp.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
3252
EQNEDT32.EXE
104.18.43.26:80
readcivil.com
Cloudflare Inc
US
shared
3252
EQNEDT32.EXE
104.18.43.26:443
readcivil.com
Cloudflare Inc
US
shared
2592
jkfnfjp.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2592
jkfnfjp.exe
13.107.42.12:443
ss3siw.bl.files.1drv.com
Microsoft Corporation
US
suspicious
2592
jkfnfjp.exe
103.253.212.238:443
bprbalidananiaga.co.id
Rumahweb Indonesia CV.
ID
malicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
readcivil.com
  • 104.18.43.26
  • 104.18.42.26
  • 172.67.217.188
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
ss3siw.bl.files.1drv.com
  • 13.107.42.12
whitelisted
bprbalidananiaga.co.id
  • 103.253.212.238
malicious

Threats

PID
Process
Class
Message
3252
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2592
jkfnfjp.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2592
jkfnfjp.exe
A Network Trojan was detected
ET TROJAN Win32/AZORult V3.3 Client Checkin M2
2592
jkfnfjp.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult
2592
jkfnfjp.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
No debug info