URL: | https://bit.ly/2Mb1SGD |
Full analysis: | https://app.any.run/tasks/1c9aaf98-8eba-4001-a92b-b93753f128f0 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | August 13, 2019, 13:25:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | D92A10D1F296FA907115A0D81ABC9B64 |
SHA1: | 8C674EF2907C3C947515AAFB0AC35DCFA5532962 |
SHA256: | E4273615BD110B7C1E04EA738842D43746129FE925AE83F522E2233F0B3E7397 |
SSDEEP: | 3:N8kToq:2SD |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2264 | "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://bit.ly/2Mb1SGD" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 75.0.3770.100 | ||||
2164 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x70fea9d0,0x70fea9e0,0x70fea9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2580 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2612 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2864 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=17491259592026223004 --mojo-platform-channel-handle=1024 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3788 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=15123481794422462353 --mojo-platform-channel-handle=1624 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
4092 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6045655952598512595 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
2856 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7424723941278846202 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3400 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1980991686741230575 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
1164 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,2647212974985672907,2068481879732910935,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=2269037864659182447 --mojo-platform-channel-handle=3324 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
3244 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | explorer.exe | |
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | — | |
MD5:— | SHA256:— | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old | — | |
MD5:— | SHA256:— | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ea88ee9d-453e-4bf6-8814-f289371f8e52.tmp | — | |
MD5:— | SHA256:— | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp | — | |
MD5:— | SHA256:— | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF37110b.TMP | text | |
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30 | SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348 | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:DC32343F45B01764B6267AD36548102A | SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075 | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old | text | |
MD5:3D551B6E929CF62F7AA66091E718704B | SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404 | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old | text | |
MD5:911B244E4A362B56F2478647D2D61A40 | SHA256:3A5AEC1EA537D8841E604D0AA4CD5F9241C805A3D4EB4E372CFB7EEB3678A361 | |||
2264 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabs | binary | |
MD5:0686D6159557E1162D04C44240103333 | SHA256:3303D5EED881951B0BB52CF1C6BFA758770034D0120C197F9F7A3520B92A86FB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3244 | opera.exe | GET | 200 | 172.217.22.67:80 | http://crl.pki.goog/gsr2/gsr2.crl | US | der | 815 b | whitelisted |
3244 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 528 b | whitelisted |
3788 | chrome.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAy%2BK8lPT%2B%2Fr4u1gFxGeJoE%3D | US | der | 471 b | whitelisted |
3244 | opera.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAy%2BK8lPT%2B%2Fr4u1gFxGeJoE%3D | US | der | 471 b | whitelisted |
3244 | opera.exe | GET | 200 | 216.58.206.3:80 | http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEBsLTAENQpqdmTkw83kxDuA%3D | US | der | 471 b | whitelisted |
3044 | winit.exe | GET | 200 | 185.194.141.58:80 | http://ip-api.com/json | DE | text | 298 b | shared |
5896 | taskhostw.exe | GET | 404 | 194.67.196.43:80 | http://taskhostw.com/randomx/loaderTOP.html | RU | html | 299 b | suspicious |
3788 | chrome.exe | GET | 200 | 93.184.220.29:80 | http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 528 b | whitelisted |
3244 | opera.exe | GET | 200 | 216.58.206.3:80 | http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDo4ppmeCJaKx8etRHAIrWs%3D | US | der | 471 b | whitelisted |
1252 | taskhost.exe | GET | 404 | 194.67.196.43:80 | http://taskhostw.com/randomink/L.html | RU | html | 293 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3788 | chrome.exe | 172.217.18.110:443 | drive.google.com | Google Inc. | US | whitelisted |
3788 | chrome.exe | 216.58.206.1:443 | doc-0o-2g-docs.googleusercontent.com | Google Inc. | US | whitelisted |
3788 | chrome.exe | 172.217.18.173:443 | accounts.google.com | Google Inc. | US | whitelisted |
3788 | chrome.exe | 67.199.248.11:443 | bit.ly | Bitly Inc | US | shared |
3788 | chrome.exe | 67.199.248.10:443 | bit.ly | Bitly Inc | US | shared |
3244 | opera.exe | 185.26.182.93:443 | certs.opera.com | Opera Software AS | — | whitelisted |
3788 | chrome.exe | 172.217.21.196:443 | www.google.com | Google Inc. | US | whitelisted |
3788 | chrome.exe | 216.58.210.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
3788 | chrome.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3788 | chrome.exe | 172.217.16.131:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
bit.ly |
| shared |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
crl4.digicert.com |
| whitelisted |
drive.google.com |
| shared |
doc-0o-2g-docs.googleusercontent.com |
| shared |
certs.opera.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2444 | ink.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2444 | ink.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
2444 | ink.exe | A Network Trojan was detected | AV TROJAN AZORult CnC Beacon |
2444 | ink.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2444 | ink.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
3044 | winit.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
3044 | winit.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
3044 | winit.exe | Potential Corporate Privacy Violation | AV POLICY Internal Host Retrieving External IP Address (ip-api. com) |
5896 | taskhostw.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
5896 | taskhostw.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
Process | Message |
---|---|
rutserv.exe | TMainService.Start |
rutserv.exe | GUID_MONITOR_POWER_ON |
rutserv.exe | 13-08-2019_14:28:53:341#T:Msg Size: 104 |
rutserv.exe | 13-08-2019_14:28:53:341#T:Msg code: 3 |
rutserv.exe | 13-08-2019_14:28:53:341#T:MSG_KEEP_ALIVE |
rutserv.exe | MSG_KEEP_ALIVE |
rundll.exe | Python failed to load the default activation context
|
rutserv.exe | 13-08-2019_14:29:22:699#T:Msg Size: 104 |
rutserv.exe | 13-08-2019_14:29:22:699#T:Msg code: 3 |
rutserv.exe | 13-08-2019_14:29:22:699#T:MSG_KEEP_ALIVE |