Overview

overview

10

Static

static

f1b005d740...21.exe

windows7_x64

10

f1b005d740...21.exe

windows10_x64

10

Resubmissions

22-05-2020 12:09

200522-ma725l8pgx 10

21-05-2020 12:19

200521-swjn81cqpe 10

Analysis

  • max time kernel
    117s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    22-05-2020 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe

  • Size

    259KB

  • MD5

    b55f731add11aec9c9b00fe42d8f0f53

  • SHA1

    7114fbda0e1ce247dd227e3d54d22fa809a0c5ee

  • SHA256

    f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21

  • SHA512

    f9291667b8c1ae07e9993cee4269e19765b1c506a2c24411459f60f65da7c513b383cc328345961e8350642cebf0448d85ee93a2594607dd0ee866c39e2d7cb9

Score
10/10
azorultinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe
    "C:\Users\Admin\AppData\Local\Temp\f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\cbxncdb.exe
      "C:\Users\Admin\AppData\Local\Temp\cbxncdb.exe"
      2⤵
      • Executes dropped EXE
      PID:3680
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 1104
        3⤵
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3664
    • C:\Users\Admin\AppData\Local\Temp\f1b005d740cbdb6bf8586f6fc4df175819027595190e56672e3cce2f0c8cfc21.exe
      "{path}"
      2⤵
        PID:2316

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cbxncdb.exe
      MD5

      598216c1f4df42b96265e40d826a029b

      SHA1

      5299280a7093ece1ce4cc8bd9dbbd57115cf93a2

      SHA256

      74bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b

      SHA512

      ea4d008e55c16157e1374b03d142ddb34fe219114f42c6f49fb0f9b0a7c9e0abe5be0e97162a2fe820ec7b7d3a8daa4acdf2324df44445d1190e23da1a0d59b2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\cbxncdb.exe
      MD5

      598216c1f4df42b96265e40d826a029b

      SHA1

      5299280a7093ece1ce4cc8bd9dbbd57115cf93a2

      SHA256

      74bd0a0f99f46bfc7106edc3f4d360d9c0bdcba209cbedb685f2131c9482cc3b

      SHA512

      ea4d008e55c16157e1374b03d142ddb34fe219114f42c6f49fb0f9b0a7c9e0abe5be0e97162a2fe820ec7b7d3a8daa4acdf2324df44445d1190e23da1a0d59b2

      Download Submit
    • memory/2316-2-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2316-3-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3664-4-0x0000000004770000-0x0000000004771000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3664-5-0x0000000004770000-0x0000000004771000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3664-7-0x0000000004870000-0x0000000004871000-memory.dmp
      Filesize

      4KB

      Download