File name: | Purchase Order.ace |
Full analysis: | https://app.any.run/tasks/a222d067-ab07-4985-853f-1c37aa80346b |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | December 14, 2018, 12:55:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | 21C185C853B68B52FDFAAD8817C8BF22 |
SHA1: | 97969FABFB25B6594E382CC95936B6D9E4260575 |
SHA256: | E37FD5F0BFCDB90729CD86C6AAD4F3C1293D27422F80164A7E06A68C93B89244 |
SSDEEP: | 12288:JzBpy0IN4ngEcky/sJIXTRaFf0oew6R/+1h:JzBpy14nVeCID+Hev9+X |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2840 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Purchase Order.ace" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2768 | "rundll32.exe" desk.cpl,InstallScreenSaver C:\Users\admin\Desktop\Purchase Order.scr | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3956 | "C:\Users\admin\Desktop\Purchase Order.scr" /p 262508 | C:\Users\admin\Desktop\Purchase Order.scr | — | rundll32.exe |
User: admin Company: kaSPERSkY LAb ZAO Integrity Level: MEDIUM Description: aUDACITY Team Exit code: 0 Version: 1.00 | ||||
2456 | "C:\Users\admin\Desktop\Purchase Order.scr" /p 262508 | C:\Users\admin\Desktop\Purchase Order.scr | Purchase Order.scr | |
User: admin Company: kaSPERSkY LAb ZAO Integrity Level: MEDIUM Description: aUDACITY Team Exit code: 0 Version: 1.00 | ||||
2520 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "Purchase Order.scr" | C:\Windows\system32\cmd.exe | — | Purchase Order.scr |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3108 | C:\Windows\system32\timeout.exe 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Purchase Order.ace | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Count |
Value: 0 | |||
(PID) Process: | (2840) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Name |
Value: 542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B476265747F766472375865737265397674721717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2840 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2840.14023\Purchase Order.scr | — | |
MD5:— | SHA256:— | |||
2768 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme | text | |
MD5:2F4FD1DB4CABA1569028D2DACDFA0E71 | SHA256:D8496E18E8AA7BC4A525D553D103E8B818AFB63250FFB20DDF124A68C10445E2 | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:6DB54065B33861967B491DD1C8FD8595 | SHA256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5 | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E479444BDD4AE4577FD32314A68F5D28 | SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719 | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:E2F648AE40D234A3892E1455B4DBBE05 | SHA256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03 | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll | executable | |
MD5:2EA3901D7B50BF6071EC8732371B821C | SHA256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:94AE25C7A5497CA0BE6882A00644CA64 | SHA256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:502263C56F931DF8440D7FD2FA7B7C00 | SHA256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231 | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll | executable | |
MD5:88FF191FD8648099592ED28EE6C442A5 | SHA256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D | |||
2456 | Purchase Order.scr | C:\Users\admin\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:CB978304B79EF53962408C611DFB20F5 | SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2456 | Purchase Order.scr | POST | 200 | 46.21.150.161:80 | http://46.21.150.161/olisa/index.php | US | txt | 4.27 Mb | malicious |
2456 | Purchase Order.scr | POST | 200 | 46.21.150.161:80 | http://46.21.150.161/olisa/index.php | US | text | 5 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2456 | Purchase Order.scr | 46.21.150.161:80 | — | Swiftway Sp. z o.o. | US | malicious |
PID | Process | Class | Message |
---|---|---|---|
2456 | Purchase Order.scr | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2456 | Purchase Order.scr | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2456 | Purchase Order.scr | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
2456 | Purchase Order.scr | Potentially Bad Traffic | ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1 |
2456 | Purchase Order.scr | A Network Trojan was detected | MALWARE [PTsecurity] AZORult HTTP Header |
2456 | Purchase Order.scr | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |