analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

YTYcBDmM.rar

Full analysis: https://app.any.run/tasks/4b15391f-7cc7-47da-a03f-e55f35dc02ba
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 10:35:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
rat
azorult
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

E16997B14DB2E5626C341090287C5F95

SHA1:

1BBB4D7DE25B3B9E5F96DD03F88E3D16D8E26DDA

SHA256:

FB453706E14680CBBD063AEF39CB1C3A06E06A10A8432BD6205BE1966E68CD55

SSDEEP:

768:DJJfE+89r8LOQQyO9Wn7tZfxCsCpPFjCDDimHaMTSoxJLx+OYKuP1X8O3/:FmHr8KSnvIsYGDDhH8oxJLTYx1Xj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • YTYcBDmM.exe (PID: 1812)

    • Connects to CnC server

      • YTYcBDmM.exe (PID: 1812)

    • AZORULT was detected

      • YTYcBDmM.exe (PID: 1812)

    • Loads dropped or rewritten executable

      • YTYcBDmM.exe (PID: 1812)

    • Actions looks like stealing of personal data

      • YTYcBDmM.exe (PID: 1812)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2896)
      • YTYcBDmM.exe (PID: 1812)

    • Reads Internet Cache Settings

      • YTYcBDmM.exe (PID: 1812)

    • Reads the cookies of Mozilla Firefox

      • YTYcBDmM.exe (PID: 1812)

    • Reads the cookies of Google Chrome

      • YTYcBDmM.exe (PID: 1812)

    • Starts CMD.EXE for self-deleting

      • YTYcBDmM.exe (PID: 1812)

    • Starts CMD.EXE for commands execution

      • YTYcBDmM.exe (PID: 1812)

  • INFO

    • Manual execution by user

      • YTYcBDmM.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe #AZORULT ytycbdmm.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\YTYcBDmM.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1812"C:\Users\admin\Desktop\YTYcBDmM.exe" C:\Users\admin\Desktop\YTYcBDmM.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2220"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "YTYcBDmM.exe"C:\Windows\system32\cmd.exeYTYcBDmM.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3092C:\Windows\system32\timeout.exe 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
500
Read events
472
Write events
0
Delete events
0

Modification events

No data
Executable files
49
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2896WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2896.30742\YTYcBDmM.exeexecutable
MD5:4306955B7265FE2714E7A6BD69AC0D5D
SHA256:9D3536E5E2E71BAD9EA977B3A5CA377746D49E9C6B914EEEE15DCB1CAFC8D61F
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:6DB54065B33861967B491DD1C8FD8595
SHA256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-heap-l1-1-0.dllexecutable
MD5:2EA3901D7B50BF6071EC8732371B821C
SHA256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:EFF11130BFE0D9C90C0026BF2FB219AE
SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:D97A1CB141C6806F0101A5ED2673A63D
SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-errorhandling-l1-1-0.dllexecutable
MD5:6D778E83F74A4C7FE4C077DC279F6867
SHA256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-namedpipe-l1-1-0.dllexecutable
MD5:6F6796D1278670CCE6E2D85199623E27
SHA256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l2-1-0.dllexecutable
MD5:E479444BDD4AE4577FD32314A68F5D28
SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-profile-l1-1-0.dllexecutable
MD5:FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA256:8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
1812YTYcBDmM.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-processthreads-l1-1-0.dllexecutable
MD5:A2D7D7711F9C0E3E065B2929FF342666
SHA256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1812
YTYcBDmM.exe
POST
200
5.79.66.145:80
http://latum666.kl.com.ua/index.php
NL
html
2.07 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1812
YTYcBDmM.exe
5.79.66.145:80
latum666.kl.com.ua
LeaseWeb Netherlands B.V.
NL
malicious

DNS requests

Domain
IP
Reputation
latum666.kl.com.ua
  • 5.79.66.145
malicious

Threats

PID
Process
Class
Message
1812
YTYcBDmM.exe
A Network Trojan was detected
ET TROJAN Win32/AZORult V3.3 Client Checkin M2
1812
YTYcBDmM.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
1812
YTYcBDmM.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult v.3
1812
YTYcBDmM.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult
1812
YTYcBDmM.exe
A Network Trojan was detected
ET TROJAN AZORult v3.3 Server Response M3
1812
YTYcBDmM.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult
1812
YTYcBDmM.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult v.3
1812
YTYcBDmM.exe
A Network Trojan was detected
AV TROJAN Azorult CnC Beacon
1812
YTYcBDmM.exe
A Network Trojan was detected
ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
YTYcBDmM.rar