azorult_cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8_2019-08-21_00_05.txt

1.  
2. * MalFamily: "Hawkeye"
3.  
4. * MalScore: 10.0
5.  
6. * File Name: "cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8"
7. * File Size: 1473536
8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. * SHA256: "cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8"
10. * MD5: "c0a9ccb2cdb3fbc68c515ac9eb45fc86"
11. * SHA1: "4879244bb6224c497d8f3db3325015221629b078"
12. * SHA512: "f4878ba3f39fb3ae1a361234aac1c659b3971633f7ec76a73ed1123c1b86ce41464b48fadc590f3632e603f572063c63b7911880e8442318394098f60c003a5c"
13. * CRC32: "51B663DA"
14. * SSDEEP: "24576:jAHnh+eWsN3skA4RV1Hom2KXMmHa3BC28loWNd5be3pWCehZw91m7/vhtuM695:uh+ZkldoPK8Ya3BCnJwkCehZCgHhYT"
15.  
16. * Process Execution:
17. "cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8.exe",
18. "RegAsm.exe"
19.  
20.  
21. * Executed Commands:
22.  
23. * Signatures Detected:
24.  
25. "Description": "Creates RWX memory",
26. "Details":
27.  
28.  
29. "Description": "Starts servers listening on 127.0.0.1:0",
30. "Details":
31.  
32.  
33. "Description": "Reads data out of its own binary image",
34. "Details":
35.  
36. "self_read": "process: cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8.exe, pid: 2952, offset: 0x00000000, length: 0x00167c00"
37.  
38.  
39.  
40.  
41. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
42. "Details":
43.  
44. "get_no_useragent": "HTTP traffic contains a GET request with no user-agent header"
45.  
46.  
47. "suspicious_request": "http://whatismyipaddress.com/"
48.  
49.  
50.  
51.  
52. "Description": "Performs some HTTP requests",
53. "Details":
54.  
55. "url": "http://whatismyipaddress.com/"
56.  
57.  
58.  
59.  
60. "Description": "The binary likely contains encrypted or compressed data.",
61. "Details":
62.  
63. "section": "name: .rsrc, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x0009d600, virtual_size: 0x0009d554"
64.  
65.  
66.  
67.  
68. "Description": "Looks up the external IP address",
69. "Details":
70.  
71. "domain": "whatismyipaddress.com"
72.  
73.  
74.  
75.  
76. "Description": "Exhibits behavior characteristics of HawkEye keylogger.",
77. "Details":
78.  
79.  
80. "Description": "Installs itself for autorun at Windows startup",
81. "Details":
82.  
83. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wyyxadlbvd"
84.  
85.  
86. "data": "C:\\Users\\Public\\wyyxadlbvd.vbs"
87.  
88.  
89.  
90.  
91. "Description": "File has been identified by 37 Antiviruses on VirusTotal as malicious",
92. "Details":
93.  
94. "MicroWorld-eScan": "Trojan.AIT.Agent.B"
95.  
96.  
97. "FireEye": "Generic.mg.c0a9ccb2cdb3fbc6"
98.  
99.  
100. "McAfee": "Trojan-AitInject.aq"
101.  
102.  
103. "Malwarebytes": "Trojan.MalPack.AutoIt"
104.  
105.  
106. "Alibaba": "Trojan:Win32/Azorult.20d9a6ce"
107.  
108.  
109. "Cybereason": "malicious.bb6224"
110.  
111.  
112. "Arcabit": "Trojan.AIT.Agent.B"
113.  
114.  
115. "F-Prot": "W32/AutoIt.IJ.gen!Eldorado"
116.  
117.  
118. "Symantec": "Packed.Generic.548"
119.  
120.  
121. "APEX": "Malicious"
122.  
123.  
124. "Avast": "Win32:Trojan-gen"
125.  
126.  
127. "ClamAV": "Win.Malware.Autoit-7122671-0"
128.  
129.  
130. "Kaspersky": "Trojan-PSW.Win32.Heye.idu"
131.  
132.  
133. "BitDefender": "Trojan.AIT.Agent.B"
134.  
135.  
136. "Paloalto": "generic.ml"
137.  
138.  
139. "Ad-Aware": "Trojan.AIT.Agent.B"
140.  
141.  
142. "Emsisoft": "Trojan.AIT.Agent.B (B)"
143.  
144.  
145. "Invincea": "heuristic"
146.  
147.  
148. "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc"
149.  
150.  
151. "Trapmine": "malicious.moderate.ml.score"
152.  
153.  
154. "Cyren": "W32/AutoIt.IJ.gen!Eldorado"
155.  
156.  
157. "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5"
158.  
159.  
160. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
161.  
162.  
163. "Endgame": "malicious (high confidence)"
164.  
165.  
166. "ZoneAlarm": "Trojan-PSW.Win32.Heye.idu"
167.  
168.  
169. "GData": "Trojan.AIT.Agent.B (2x)"
170.  
171.  
172. "AhnLab-V3": "Malware/Win32.RL_Trojan.R280778"
173.  
174.  
175. "Acronis": "suspicious"
176.  
177.  
178. "ALYac": "Trojan.AIT.Agent.B"
179.  
180.  
181. "MAX": "malware (ai score=86)"
182.  
183.  
184. "Cylance": "Unsafe"
185.  
186.  
187. "ESET-NOD32": "a variant of Win32/Injector.Autoit.EFM"
188.  
189.  
190. "Ikarus": "Trojan.Autoit"
191.  
192.  
193. "Fortinet": "AutoIt/Injector.EFM!tr"
194.  
195.  
196. "AVG": "Win32:Trojan-gen"
197.  
198.  
199. "CrowdStrike": "win/malicious_confidence_70% (D)"
200.  
201.  
202. "Qihoo-360": "HEUR/QVM10.1.55D5.Malware.Gen"
203.  
204.  
205.  
206.  
207. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
208. "Details":
209.  
210. "target": "clamav:Win.Malware.Autoit-7122671-0, sha256:cb1ec5c1b339212b3a8ff5da6abfd44ae3b5251d68c921d8e70bb156dc4c92f8, type:PE32 executable (GUI) Intel 80386, for MS Windows"
211.  
212.  
213. "dropped": "clamav:Win.Malware.Autoit-7122671-0, sha256:969967bab2aac1ca5fca51b7a8d107ea284c9c5cb4635c7a3dace90a137b9de2 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\SecEdit\\ActionMgr.bat, type:PE32 executable (GUI) Intel 80386, for MS Windows"
214.  
215.  
216.  
217.  
218. "Description": "Creates a slightly modified copy of itself",
219. "Details":
220.  
221. "file": "C:\\Users\\user\\AppData\\Roaming\\SecEdit\\ActionMgr.bat"
222.  
223.  
224. "percent_match": 100
225.  
226.  
227.  
228.  
229. "Description": "Anomalous binary characteristics",
230. "Details":
231.  
232. "anomaly": "Actual checksum does not match that reported in PE header"
233.  
234.  
235.  
236.  
237.  
238. * Started Service:
239.  
240. * Mutexes:
241. "Global\\CLR_PerfMon_WrapMutex",
242. "Global\\CLR_CASOFF_MUTEX",
243. "Global\\.net clr networking"
244.  
245.  
246. * Modified Files:
247. "C:\\Users\\user\\AppData\\Roaming\\SecEdit\\ActionMgr.bat",
248. "C:\\Users\\Public\\wyyxadlbvd.vbs",
249. "C:\\Users\\user\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
250. "C:\\Users\\user\\AppData\\Roaming\\pid.txt",
251. "C:\\Users\\user\\AppData\\Roaming\\pidloc.txt"
252.  
253.  
254. * Deleted Files:
255.  
256. * Modified Registry Keys:
257. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\wyyxadlbvd"
258.  
259.  
260. * Deleted Registry Keys:
261.  
262. * DNS Communications:
263.  
264. "type": "A",
265. "request": "whatismyipaddress.com",
266. "answers":
267.  
268. "data": "104.16.154.36",
269. "type": "A"
270.  
271.  
272. "data": "104.16.155.36",
273. "type": "A"
274.  
275.  
276.  
277.  
278.  
279. * Domains:
280.  
281. "ip": "104.16.154.36",
282. "domain": "whatismyipaddress.com"
283.  
284.  
285.  
286. * Network Communication - ICMP:
287.  
288. * Network Communication - HTTP:
289.  
290. "count": 1,
291. "body": "",
292. "uri": "http://whatismyipaddress.com/",
293. "user-agent": "",
294. "method": "GET",
295. "host": "whatismyipaddress.com",
296. "version": "1.1",
297. "path": "/",
298. "data": "GET / HTTP/1.1\r\nHost: whatismyipaddress.com\r\nConnection: Keep-Alive\r\n\r\n",
299. "port": 80
300.  
301.  
302.  
303. * Network Communication - SMTP:
304.  
305. * Network Communication - Hosts:
306.  
307. * Network Communication - IRC: