File name: | YTYcBDmM.rar |
Full analysis: | https://app.any.run/tasks/4b15391f-7cc7-47da-a03f-e55f35dc02ba |
Verdict: | Malicious activity |
Threats: | AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat. |
Analysis date: | March 31, 2020, 10:35:38 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | E16997B14DB2E5626C341090287C5F95 |
SHA1: | 1BBB4D7DE25B3B9E5F96DD03F88E3D16D8E26DDA |
SHA256: | FB453706E14680CBBD063AEF39CB1C3A06E06A10A8432BD6205BE1966E68CD55 |
SSDEEP: | 768:DJJfE+89r8LOQQyO9Wn7tZfxCsCpPFjCDDimHaMTSoxJLx+OYKuP1X8O3/:FmHr8KSnvIsYGDDhH8oxJLTYx1Xj |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2896 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\YTYcBDmM.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1812 | "C:\Users\admin\Desktop\YTYcBDmM.exe" | C:\Users\admin\Desktop\YTYcBDmM.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2220 | "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "YTYcBDmM.exe" | C:\Windows\system32\cmd.exe | — | YTYcBDmM.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3092 | C:\Windows\system32\timeout.exe 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa2896.30742\YTYcBDmM.exe | executable | |
MD5:4306955B7265FE2714E7A6BD69AC0D5D | SHA256:9D3536E5E2E71BAD9EA977B3A5CA377746D49E9C6B914EEEE15DCB1CAFC8D61F | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:6DB54065B33861967B491DD1C8FD8595 | SHA256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5 | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-heap-l1-1-0.dll | executable | |
MD5:2EA3901D7B50BF6071EC8732371B821C | SHA256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-localization-l1-2-0.dll | executable | |
MD5:EFF11130BFE0D9C90C0026BF2FB219AE | SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97 | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-interlocked-l1-1-0.dll | executable | |
MD5:D97A1CB141C6806F0101A5ED2673A63D | SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:6D778E83F74A4C7FE4C077DC279F6867 | SHA256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325 | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-namedpipe-l1-1-0.dll | executable | |
MD5:6F6796D1278670CCE6E2D85199623E27 | SHA256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507 | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-file-l2-1-0.dll | executable | |
MD5:E479444BDD4AE4577FD32314A68F5D28 | SHA256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719 | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-profile-l1-1-0.dll | executable | |
MD5:FEE0926AA1BF00F2BEC9DA5DB7B2DE56 | SHA256:8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C | |||
1812 | YTYcBDmM.exe | C:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-processthreads-l1-1-0.dll | executable | |
MD5:A2D7D7711F9C0E3E065B2929FF342666 | SHA256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1812 | YTYcBDmM.exe | POST | 200 | 5.79.66.145:80 | http://latum666.kl.com.ua/index.php | NL | html | 2.07 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1812 | YTYcBDmM.exe | 5.79.66.145:80 | latum666.kl.com.ua | LeaseWeb Netherlands B.V. | NL | malicious |
Domain | IP | Reputation |
---|---|---|
latum666.kl.com.ua |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
1812 | YTYcBDmM.exe | A Network Trojan was detected | ET TROJAN Win32/AZORult V3.3 Client Checkin M2 |
1812 | YTYcBDmM.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
1812 | YTYcBDmM.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult v.3 |
1812 | YTYcBDmM.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult |
1812 | YTYcBDmM.exe | A Network Trojan was detected | ET TROJAN AZORult v3.3 Server Response M3 |
1812 | YTYcBDmM.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult |
1812 | YTYcBDmM.exe | A Network Trojan was detected | STEALER [PTsecurity] AZORult v.3 |
1812 | YTYcBDmM.exe | A Network Trojan was detected | AV TROJAN Azorult CnC Beacon |
1812 | YTYcBDmM.exe | A Network Trojan was detected | ET TROJAN Generic - POST To .php w/Extended ASCII Characters (Likely Zeus Derivative) |