analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://yadi.sk/d/5k8qOceZrRxb9g

Full analysis: https://app.any.run/tasks/ab206c2c-a682-4fe8-b27d-329edeafc887
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: October 14, 2019, 15:54:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
azorult
Indicators:
MD5:

8647497F703DBC911971123055EB41D5

SHA1:

0E55E55C56A428A30820F8FC555BB5F65BF1BFC0

SHA256:

E9267E9FEE314033944BE22CD3303E05339CBB8D92B936FC14E81C762371DE21

SSDEEP:

3:N8jqqa1:2eqw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Injector.exe (PID: 3288)
      • Injector.exe (PID: 1584)
      • Injector.exe (PID: 956)
      • csrss.exe (PID: 2860)
      • svchost.exe (PID: 1152)
      • 1.exe (PID: 4040)
      • Injector.exe (PID: 3392)
      • Injector.exe (PID: 3400)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3476)
      • 1.exe (PID: 4040)
      • csrss.exe (PID: 2860)
    • AZORULT was detected

      • csrss.exe (PID: 2860)
    • Connects to CnC server

      • csrss.exe (PID: 2860)
    • Actions looks like stealing of personal data

      • csrss.exe (PID: 2860)
  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2480)
    • Executable content was dropped or overwritten

      • Injector.exe (PID: 1584)
      • svchost.exe (PID: 1152)
      • 1.exe (PID: 4040)
      • csrss.exe (PID: 2860)
    • Creates executable files which already exist in Windows

      • Injector.exe (PID: 1584)
    • Creates files in the program directory

      • svchost.exe (PID: 1152)
      • 1.exe (PID: 4040)
    • Reads internet explorer settings

      • Injector.exe (PID: 956)
      • Injector.exe (PID: 3400)
    • Creates files in the user directory

      • 1.exe (PID: 4040)
    • Reads the cookies of Mozilla Firefox

      • csrss.exe (PID: 2860)
    • Reads the cookies of Google Chrome

      • csrss.exe (PID: 2860)
    • Starts CMD.EXE for self-deleting

      • csrss.exe (PID: 2860)
    • Starts CMD.EXE for commands execution

      • csrss.exe (PID: 2860)
  • INFO

    • Creates files in the user directory

      • chrome.exe (PID: 2480)
    • Reads the hosts file

      • chrome.exe (PID: 2480)
      • chrome.exe (PID: 1944)
    • Reads Internet Cache Settings

      • chrome.exe (PID: 2480)
    • Reads settings of System Certificates

      • chrome.exe (PID: 1944)
    • Application launched itself

      • chrome.exe (PID: 2480)
    • Manual execution by user

      • Injector.exe (PID: 1584)
      • explorer.exe (PID: 516)
      • Injector.exe (PID: 3392)
      • Injector.exe (PID: 3400)
      • explorer.exe (PID: 2204)
    • Application was crashed

      • 1.exe (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
43
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe no specs chrome.exe no specs searchprotocolhost.exe no specs injector.exe injector.exe no specs chrome.exe no specs injector.exe #AZORULT csrss.exe svchost.exe 1.exe chrome.exe no specs explorer.exe no specs cmd.exe no specs timeout.exe no specs explorer.exe no specs injector.exe no specs injector.exe

Process information

PID
CMD
Path
Indicators
Parent process
2480"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://yadi.sk/d/5k8qOceZrRxb9g"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d90a9d0,0x6d90a9e0,0x6d90a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2104"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2128 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2520"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,18050591135156919140,2177277621110513208,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7239063143642065153 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1944"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=988,18050591135156919140,2177277621110513208,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=4832128318922563017 --mojo-platform-channel-handle=1524 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1740"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,18050591135156919140,2177277621110513208,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7936048212575409279 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1956"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,18050591135156919140,2177277621110513208,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9852255264778264316 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3876"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,18050591135156919140,2177277621110513208,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5826498935246159233 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3468"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,18050591135156919140,2177277621110513208,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18245451169417997574 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1048"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=988,18050591135156919140,2177277621110513208,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12022780534278573077 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
Total events
2 138
Read events
1 930
Write events
0
Delete events
0

Modification events

No data
Executable files
54
Suspicious files
45
Text files
233
Unknown types
6

Dropped files

PID
Process
Filename
Type
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\166d84dd-9c69-4457-8e3c-e6fe75ffdd0e.tmp
MD5:
SHA256:
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF39a8dd.TMPtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.old~RF39a93b.TMPtext
MD5:3D551B6E929CF62F7AA66091E718704B
SHA256:1698A1B1BC3E86676392FB8BD4C712438302A5A2220503C08F290ED4B1790404
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF39a8dd.TMPtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF39a8dd.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2480chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF39a92b.TMPtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
84
DNS requests
49
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1944
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
1944
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
508 b
whitelisted
956
Injector.exe
GET
200
208.91.196.105:80
http://www.riukuzaki.com/downloads/injectorgadget/
VG
html
195 b
malicious
4040
1.exe
GET
200
141.8.192.151:80
http://f0332298.xsph.ru/32.zip
RU
compressed
2.35 Mb
malicious
3400
Injector.exe
GET
200
208.91.196.105:80
http://www.riukuzaki.com/downloads/injectorgadget/
VG
html
195 b
malicious
4040
1.exe
GET
200
141.8.192.151:80
http://f0332298.xsph.ru/
RU
html
297 b
malicious
1944
chrome.exe
GET
200
173.194.183.103:80
http://r2---sn-aigl6nek.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigl6nek&ms=nvh&mt=1571068399&mv=m&mvi=1&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
2860
csrss.exe
POST
200
217.107.34.251:80
http://hodrika13.myjino.ru/index.php
RU
binary
4.27 Mb
malicious
2860
csrss.exe
POST
200
217.107.34.251:80
http://hodrika13.myjino.ru/index.php
RU
text
2 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1944
chrome.exe
172.217.21.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1944
chrome.exe
87.250.251.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
1944
chrome.exe
172.217.22.77:443
accounts.google.com
Google Inc.
US
whitelisted
1944
chrome.exe
178.154.131.216:443
yastatic.net
YANDEX LLC
RU
whitelisted
1944
chrome.exe
5.255.255.88:443
yandex.ru
YANDEX LLC
RU
whitelisted
1944
chrome.exe
216.58.207.36:443
www.google.com
Google Inc.
US
whitelisted
1944
chrome.exe
93.158.134.90:443
an.yandex.ru
YANDEX LLC
RU
whitelisted
1944
chrome.exe
87.250.250.50:443
yadi.sk
YANDEX LLC
RU
whitelisted
1944
chrome.exe
216.58.208.42:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
1944
chrome.exe
87.250.247.183:443
avatars.mds.yandex.net
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
yadi.sk
  • 87.250.250.50
shared
clientservices.googleapis.com
  • 172.217.21.195
whitelisted
accounts.google.com
  • 172.217.22.77
shared
yastatic.net
  • 178.154.131.216
  • 178.154.131.217
  • 178.154.131.215
whitelisted
mc.yandex.ru
  • 87.250.251.119
  • 93.158.134.119
  • 77.88.21.119
  • 87.250.250.119
whitelisted
disk.yandex.com
  • 87.250.250.50
shared
disk.yandex.ru
  • 87.250.250.50
shared
yandex.ru
  • 5.255.255.88
  • 5.255.255.5
  • 77.88.55.88
  • 77.88.55.50
whitelisted
an.yandex.ru
  • 93.158.134.90
  • 77.88.21.90
  • 213.180.193.90
  • 213.180.204.90
  • 87.250.250.90
whitelisted
www.google.com
  • 216.58.207.36
whitelisted

Threats

PID
Process
Class
Message
2860
csrss.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
2860
csrss.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
2860
csrss.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult Request
956
Injector.exe
Misc activity
SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7)
2860
csrss.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult Response
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
4040
1.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
Not Suspicious Traffic
ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)
4040
1.exe
Not Suspicious Traffic
ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)
2860
csrss.exe
A Network Trojan was detected
MALWARE [PTsecurity] AZORult.Stealer HTTP Header
1 ETPRO signatures available at the full report
No debug info