Exes_a81e3db408b78bc6abc0c4d5a53050d2_exe_2019-08-27_20_30.txt

1.  
2. * MalFamily: "Azorult"
3.  
4. * MalScore: 10.0
5.  
6. * File Name: "Exes_a81e3db408b78bc6abc0c4d5a53050d2.exe"
7. * File Size: 543102
8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. * SHA256: "7dd488e91a30fc0eb14e6021d4f6d56ce500dc7c4ed37213e4edcefb54f11396"
10. * MD5: "a81e3db408b78bc6abc0c4d5a53050d2"
11. * SHA1: "8ad34e7e178e3e4c918485f642eabf9a7a253e0c"
12. * SHA512: "658d4ea28d2d46938e8bea140aea9e3757ad9d5e4dad6f8d82cbfbccb00bebefa68f027b29b48f0ebca22ab4be170a53672d222df74c17b55bdca932c13264bf"
13. * CRC32: "6FD1DB49"
14. * SSDEEP: "12288:9XwOrReFWQFAKYWZqvUPY06ZNwJSrswf3MCSelM34NXZ:9XwOrRsdZ5n6Z2JSDf3MVBIdZ"
15.  
16. * Process Execution:
17. "J4cpJJsKJbow.exe",
18. "imgfos.exe",
19. "imgfos.exe",
20. "cmd.exe"
21.  
22.  
23. * Executed Commands:
24. "\"C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe\"",
25. "imgfos.exe ",
26. "\"C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd\"",
27. "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd "
28.  
29.  
30. * Signatures Detected:
31.  
32. "Description": "Behavioural detection: Executable code extraction",
33. "Details":
34.  
35.  
36. "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
37. "Details":
38.  
39.  
40. "Description": "Possible date expiration check, exits too soon after checking local time",
41. "Details":
42.  
43. "process": "J4cpJJsKJbow.exe, PID 1528"
44.  
45.  
46.  
47.  
48. "Description": "Performs HTTP requests potentially not found in PCAP.",
49. "Details":
50.  
51. "url": "opengopro.live:80//luck/index.php"
52.  
53.  
54.  
55.  
56. "Description": "Reads data out of its own binary image",
57. "Details":
58.  
59. "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000000, length: 0x00000020"
60.  
61.  
62. "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000000, length: 0x0001ee02"
63.  
64.  
65. "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000000, length: 0x0001ffe0"
66.  
67.  
68. "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000020, length: 0x0001ffc0"
69.  
70.  
71. "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x0001eae8, length: 0x00065e96"
72.  
73.  
74.  
75.  
76. "Description": "A process created a hidden window",
77. "Details":
78.  
79. "Process": "J4cpJJsKJbow.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd"
80.  
81.  
82.  
83.  
84. "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
85. "Details":
86.  
87. "post_no_referer": "HTTP traffic contains a POST request with no referer header"
88.  
89.  
90. "suspicious_request": "http://opengopro.live/luck/index.php"
91.  
92.  
93.  
94.  
95. "Description": "Performs some HTTP requests",
96. "Details":
97.  
98. "url": "http://opengopro.live/luck/index.php"
99.  
100.  
101.  
102.  
103. "Description": "Uses Windows utilities for basic functionality",
104. "Details":
105.  
106. "command": "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd "
107.  
108.  
109.  
110.  
111. "Description": "Behavioural detection: Injection (Process Hollowing)",
112. "Details":
113.  
114. "Injection": "imgfos.exe(2416) -> imgfos.exe(380)"
115.  
116.  
117.  
118.  
119. "Description": "Executed a process and injected code into it, probably while unpacking",
120. "Details":
121.  
122. "Injection": "imgfos.exe(2416) -> imgfos.exe(380)"
123.  
124.  
125.  
126.  
127. "Description": "Deletes its original binary from disk",
128. "Details":
129.  
130.  
131. "Description": "Behavioural detection: Injection (inter-process)",
132. "Details":
133.  
134.  
135. "Description": "CAPE detected the Azorult malware family",
136. "Details":
137.  
138.  
139. "Description": "File has been identified by 11 Antiviruses on VirusTotal as malicious",
140. "Details":
141.  
142. "FireEye": "Generic.mg.a81e3db408b78bc6"
143.  
144.  
145. "Cylance": "Unsafe"
146.  
147.  
148. "Cybereason": "malicious.e178e3"
149.  
150.  
151. "APEX": "Malicious"
152.  
153.  
154. "Kaspersky": "UDS:DangerousObject.Multi.Generic"
155.  
156.  
157. "Trapmine": "malicious.high.ml.score"
158.  
159.  
160. "Microsoft": "Trojan:Win32/Wacatac.B!ml"
161.  
162.  
163. "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
164.  
165.  
166. "ESET-NOD32": "Win32/Injector.EHKH"
167.  
168.  
169. "CrowdStrike": "win/malicious_confidence_60% (W)"
170.  
171.  
172. "Qihoo-360": "HEUR/QVM41.1.7D57.Malware.Gen"
173.  
174.  
175.  
176.  
177. "Description": "Drops a binary and executes it",
178. "Details":
179.  
180. "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe"
181.  
182.  
183.  
184.  
185. "Description": "Collects information to fingerprint the system",
186. "Details":
187.  
188.  
189. "Description": "Created network traffic indicative of malicious activity",
190. "Details":
191.  
192. "signature": "ET TROJAN AZORult Variant.4 Checkin M2"
193.  
194.  
195.  
196.  
197.  
198. * Started Service:
199.  
200. * Mutexes:
201. "A81FB8C6-0BBE6E18-6FC9B5DB-536DA455-933946726"
202.  
203.  
204. * Modified Files:
205. "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\img.bmp",
206. "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe",
207. "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd",
208. "C:\\Users\\user\\AppData\\Local\\Temp\\img.txt"
209.  
210.  
211. * Deleted Files:
212. "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\img.bmp",
213. "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe",
214. "C:\\Users\\user\\AppData\\Local\\Temp\\img.txt",
215. "C:\\Users\\user\\AppData\\Local\\Temp\\J4cpJJsKJbow.exe",
216. "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd"
217.  
218.  
219. * Modified Registry Keys:
220.  
221. * Deleted Registry Keys:
222.  
223. * DNS Communications:
224.  
225. "type": "A",
226. "request": "opengopro.live",
227. "answers":
228.  
229. "data": "104.28.3.74",
230. "type": "A"
231.  
232.  
233. "data": "104.28.2.74",
234. "type": "A"
235.  
236.  
237.  
238.  
239.  
240. * Domains:
241.  
242. "ip": "104.28.2.74",
243. "domain": "opengopro.live"
244.  
245.  
246.  
247. * Network Communication - ICMP:
248.  
249. * Network Communication - HTTP:
250.  
251. "count": 1,
252. "body": "J/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
253. "uri": "http://opengopro.live/luck/index.php",
254. "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
255. "method": "POST",
256. "host": "opengopro.live",
257. "version": "1.1",
258. "path": "/luck/index.php",
259. "data": "POST /luck/index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: opengopro.live\r\nContent-Length: 105\r\nCache-Control: no-cache\r\n\r\nJ/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
260. "port": 80
261.  
262.  
263.  
264. * Network Communication - SMTP:
265.  
266. * Network Communication - Hosts:
267.  
268. "country_name": "United States",
269. "ip": "104.28.2.74",
270. "inaddrarpa": "",
271. "hostname": "opengopro.live"
272.  
273.  
274.  
275. * Network Communication - IRC: