URL: | https://www.dropbox.com/s/eg5ezaqueu6ux9w/PO%20162352%20-xlxs.tbz2?dl=1 |
Full analysis: | https://app.any.run/tasks/6a402e61-69f6-4736-8329-41227ef57769 |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | April 15, 2019, 07:04:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 5962EAD1CB4D276FFEB119ED8B6B3E62 |
SHA1: | A90C0440B4AA9BCE56E7E10AAB8E4C8052BBAB79 |
SHA256: | FABDB14EC698104979F40AA28029BD4015985AC7A2B0B9CAB2C433530E8FB880 |
SSDEEP: | 3:N8DSLcVHGkAfTHeSlAXxhg0/XKWU:2OLHk6zugSKT |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2484 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.dropbox.com/s/eg5ezaqueu6ux9w/PO%20162352%20-xlxs.tbz2?dl=1 | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
3280 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.0.1773809081\22279402" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 1132 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
3168 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.6.618469142\1727288943" -childID 1 -isForBrowser -prefsHandle 1284 -prefMapHandle 764 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 1644 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
676 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.13.1488248039\490315826" -childID 2 -isForBrowser -prefsHandle 2592 -prefMapHandle 2596 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 2608 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3148 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2484.20.705063865\1852270082" -childID 3 -isForBrowser -prefsHandle 3324 -prefMapHandle 3336 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2484 "\\.\pipe\gecko-crash-server-pipe.2484" 3552 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3932 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO 162352 -xlxs.tbz2" | C:\Program Files\WinRAR\WinRAR.exe | firefox.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3528 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\PO 162352 -xlxs.tbz2" | C:\Program Files\WinRAR\WinRAR.exe | — | firefox.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2648 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3932.41817\PO 162352 -xlxs.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3932.41817\PO 162352 -xlxs.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2356 | "C:\Users\admin\AppData\Local\Temp\svhost.exe" | C:\Users\admin\AppData\Local\Temp\svhost.exe | PO 162352 -xlxs.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 9.0.30729.5420 | ||||
1396 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "svhost.exe" | C:\Windows\system32\cmd.exe | — | svhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2484 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2484 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2484 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash26735 | — | |
MD5:— | SHA256:— | |||
2484 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2484 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2484 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:6C32CB3FD01869207E7AAE8B28598F29 | SHA256:4F8ECF8007F6CC603991256AACF38224ADBA7D0A16685706072D1AADC0604303 | |||
2484 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin | binary | |
MD5:82F61C08D68502377826CA7EA054CEA7 | SHA256:85801BCE5D7CE3A2ABC14E3208151AC9D324A6EA82FB2ADA1D10BAA8EF58E7DF | |||
2484 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\880BA3C434E82AFD54B30DC09EA1E78F26DE4F3E | der | |
MD5:27AE5E292B08ACD5A8888B33326BA78F | SHA256:199BBC5FF265C706CEE089E1FB4B833D488F1BE319CF47F56ACB12FF073F075E | |||
2484 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:8F89A5889E1615F65674DAF6A01A2454 | SHA256:F6D3FDE91836D607A3311A6E0A12463C811F791A9F231D2FF8542D772FA22ED7 | |||
2484 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\32AEDD73C57D8E360FAD4709E9678BF40A197A40 | der | |
MD5:A9EC8FDF2583DE451B218FF62D080B9C | SHA256:08FAEDA0D5BB8C31127CE13FD5E04C0AA0860D8A0B6B47A7CA239496AD319CCF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2484 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2484 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2484 | firefox.exe | GET | 200 | 2.16.186.50:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
2484 | firefox.exe | POST | 200 | 172.217.23.163:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2484 | firefox.exe | POST | 200 | 172.217.23.163:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2484 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2484 | firefox.exe | GET | 200 | 2.16.186.50:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
2484 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2484 | firefox.exe | POST | 200 | 172.217.18.163:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2484 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2484 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2484 | firefox.exe | 162.125.66.6:443 | uc57b7e654b188313c434f13f924.dl.dropboxusercontent.com | Dropbox, Inc. | DE | shared |
2484 | firefox.exe | 172.217.23.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2484 | firefox.exe | 162.125.66.1:443 | www.dropbox.com | Dropbox, Inc. | DE | shared |
2484 | firefox.exe | 2.16.186.50:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2484 | firefox.exe | 52.26.235.130:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2484 | firefox.exe | 52.222.149.174:443 | tracking-protection.cdn.mozilla.net | Amazon.com, Inc. | US | whitelisted |
2484 | firefox.exe | 172.217.16.170:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2484 | firefox.exe | 172.217.18.14:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
2484 | firefox.exe | 52.34.132.219:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.dropbox.com |
| shared |
detectportal.firefox.com |
| whitelisted |
www.dropbox-dns.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2356 | svhost.exe | A Network Trojan was detected | ET TROJAN AZORult Variant.4 Checkin M2 |
2356 | svhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2356 | svhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2356 | svhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult.Stealer HTTP Header |
2356 | svhost.exe | A Network Trojan was detected | MALWARE [PTsecurity] AZORult client request |
2356 | svhost.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |