General

  • Target

    Payment Notification Slip_pdf.exe

  • Size

    837KB

  • Sample

    200709-lv3d6er5ex

  • MD5

    598ba912454b81e94bb0b68de4b0b874

  • SHA1

    dcd04b735be74b8110c69bb906e28ad3ef8e48bd

  • SHA256

    fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4

  • SHA512

    9b0ba1fdef45b07842d9a366517e31e902a24a616f573526d8ce4dc365c2d66afedab413d0de8618010a962b8a3d46df911e1e0a5d9cce13f56abd876e90b616

Malware Config

Extracted

Family

azorult

C2

http://h-to-h.mixh.jp/ws/PL341/index.php

Targets

    • Target

      Payment Notification Slip_pdf.exe

    • Size

      837KB

    • MD5

      598ba912454b81e94bb0b68de4b0b874

    • SHA1

      dcd04b735be74b8110c69bb906e28ad3ef8e48bd

    • SHA256

      fe1b4c61d1b55965a4110b896daec0051ebca266c20c8f75d839e42b03587ec4

    • SHA512

      9b0ba1fdef45b07842d9a366517e31e902a24a616f573526d8ce4dc365c2d66afedab413d0de8618010a962b8a3d46df911e1e0a5d9cce13f56abd876e90b616

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • JavaScript code in executable

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks