DYNAMIC ANALYSIS REPORT #6972548 Classifications: Spyware AZORult Mal/Generic-S C2/Generic-A MALICIOUS Threat Names: Trojan.GenericKD.37460607 Generic.Delph.PWS.FF722F75 Verdict Reason: - Sample Type Windows Exe (x86-32) File Name Pi Request.exe ID #2651190 MD5 040026c9c18e8dc7ffc73f3790dbdf3b SHA1 70716c50c283b59eb9fd3137c68f9ff8a8824f56 SHA256 0768f66b3f6ee8f9f32520837cee96da8d725c789d82ba16771bbad740b737ee File Size 456.00 KB Report Created 2021-08-23 14:07 (UTC+2) Target Environment win10_64_th2_en_mso2016 | exe X-Ray Vision for Malware - www.vmray.com 1 / 37 DYNAMIC ANALYSIS REPORT #6972548 OVERVIEW VMRay Threat Identifiers (23 rules, 99 matches) Score Category Operation Count Classification 5/5 YARA Malicious content matched by YARA rules 1 Spyware • Rule "Azorult_Generic" from ruleset "Malware" has matched on a memory dump for (process #2) pi request.exe. 5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware • Tries to read sensitive data of: Chromium, Sputnik, FileZilla, Pidgin, Comodo Dragon, Vivaldi, Torch, WinSCP, CocCoc, Chrome Canar... ...t Explorer / Edge, Google Chrome, Chedot, Comodo IceDragon, Cyberfox, Orbitum, Amigo, Mozilla Firefox, Kometa, CentBrowser, 7Star. 4/5 Antivirus Malicious content was detected by heuristic scan 2 - • Built-in AV detected the sample itself as "Trojan.GenericKD.37460607". • Built-in AV detected a memory dump of (process #2) pi request.exe as "Generic.Delph.PWS.FF722F75". 4/5 Reputation Known malicious file 1 - • Reputation analysis labels the sample itself as "Mal/Generic-S". 4/5 Reputation Contacts known malicious URL 1 - • Reputation analysis labels the URL "208.167.239.179/index.php" which was contacted by (process #2) pi request.exe as "C2/Generic-A". 2/5 Data Collection Reads sensitive browser data 23 - • (Process #2) pi request.exe tries to read sensitive data of web browser "Mozilla Firefox" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Comodo IceDragon" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Cyberfox" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Google Chrome" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Chrome Canary" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Yandex Browser" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Comodo Dragon" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Amigo" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Orbitum" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Chromium" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Vivaldi" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Sputnik" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Kometa" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Uran" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Epic Privacy Browser" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "CocCoc" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "CentBrowser" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "7Star" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Elements Browser" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Chedot" by file. • (Process #2) pi request.exe tries to read sensitive data of web browser "Torch" by file. • (Process #2) pi request.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault. • (Process #2) pi request.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry. 2/5 Data Collection Reads sensitive mail data 1 - • (Process #2) pi request.exe tries to read sensitive data of mail application "Microsoft Outlook" by registry. X-Ray Vision for Malware - www.vmray.com 2 / 37 DYNAMIC ANALYSIS REPORT #6972548 Score Category Operation Count Classification 2/5 Data Collection Reads sensitive ftp data 1 - • (Process #2) pi request.exe tries to read sensitive data of ftp application "FileZilla" by file. 2/5 Data Collection Reads sensitive application data 2 - • (Process #2) pi request.exe tries to read sensitive data of application "WinSCP" by registry. • (Process #2) pi request.exe tries to read sensitive data of application "Pidgin" by file. 2/5 Anti Analysis Tries to detect virtual machine 1 - • (Process #1) pi request.exe is possibly trying to detect a VM via rdtsc. 2/5 Injection Writes into the memory of a process started from a created or modified executable 1 - • (Process #1) pi request.exe modifies memory of (process #2) pi request.exe. 2/5 Injection Modifies control flow of a process started from a created or modified executable 1 - • (Process #1) pi request.exe alters context of (process #2) pi request.exe. 1/5 Hide Tracks Creates process with hidden window 1 - • (Process #1) pi request.exe starts (process #2) pi request.exe with a hidden window. 1/5 Obfuscation Reads from memory of another process 1 - • (Process #1) pi request.exe reads from (process #2) pi request.exe. 1/5 Obfuscation Creates a page with write and execute permissions 1 - • (Process #1) pi request.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code. 1/5 Discovery Reads system data 1 - • (Process #2) pi request.exe reads the cryptographic machine GUID from registry. 1/5 Mutex Creates mutex 1 - • (Process #2) pi request.exe creates mutex with name "A743A547-9C1AFDB0-AEA27C97-73E39B07-D5BBC660F". 1/5 Discovery Possibly does reconnaissance 6 - • (Process #2) pi request.exe tries to gather information about application "Mozilla Firefox" by file. • (Process #2) pi request.exe tries to gather information about application "Comodo IceDragon" by file. • (Process #2) pi request.exe tries to gather information about application "Cyberfox" by file. • (Process #2) pi request.exe tries to gather information about application "FileZilla" by file. • (Process #2) pi request.exe tries to gather information about application "WinSCP" by registry. • (Process #2) pi request.exe tries to gather information about application "Pidgin" by file. 1/5 Discovery Enumerates running processes 1 - • (Process #2) pi request.exe enumerates running processes. 1/5 System Modification Creates an unusually large number of files 1 - • (Process #2) pi request.exe creates an above average number of files. 1/5 Execution Executes itself 1 - X-Ray Vision for Malware - www.vmray.com 3 / 37 DYNAMIC ANALYSIS REPORT #6972548 Score Category Operation Count Classification • (Process #1) pi request.exe executes a copy of the sample at C:\Users\RDhJ0CNFevzX\Desktop\Pi Request.exe. 1/5 Execution Drops PE file 48 - • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-console-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-datetime-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-debug-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-errorhandling-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-file-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-file-l1-2-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-file-l2-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-handle-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-heap-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-interlocked-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-libraryloader-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-localization-l1-2-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-memory-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-namedpipe-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-processenvironment-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-processthreads-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-processthreads-l1-1-1.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-profile-l1-1-0.dll". • (Process #2) pi request.exe drops file "C:\Users\RDHJ0C~1\AppData\Local\Temp\2fda\/api-ms-win-core-rtlsupport-l1-1-0.dll".