Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
02-11-2020 14:39
Static task
static1
Behavioral task
behavioral1
Sample
linkcry.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
linkcry.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
linkcry.exe
-
Size
64KB
-
MD5
3e7f16258f8bc23716ffcdf50c661364
-
SHA1
d8d006c70493810a449332c101653fe35e2f631c
-
SHA256
6470996233863f34bf05faf3f268bac2e8a137cc513ee754442a6d44392c8fa0
-
SHA512
ca4f06e37a9fb1b9ffeccaaff3f7e00788a0ffea63482671d7a2438d3ee79bba17fe7b82059cb7a953fc01a44d4cef9acfe6a6909b69deb9620482cc64146358
Score
10/10
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
linkcry.exelinkcry.exepid process 300 linkcry.exe 1828 linkcry.exe 1828 linkcry.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
linkcry.exedescription pid process target process PID 300 set thread context of 1828 300 linkcry.exe linkcry.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
linkcry.exepid process 300 linkcry.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
linkcry.exepid process 300 linkcry.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
linkcry.exedescription pid process target process PID 300 wrote to memory of 1828 300 linkcry.exe linkcry.exe PID 300 wrote to memory of 1828 300 linkcry.exe linkcry.exe PID 300 wrote to memory of 1828 300 linkcry.exe linkcry.exe PID 300 wrote to memory of 1828 300 linkcry.exe linkcry.exe PID 300 wrote to memory of 1828 300 linkcry.exe linkcry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\linkcry.exe"C:\Users\Admin\AppData\Local\Temp\linkcry.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:300 -
C:\Users\Admin\AppData\Local\Temp\linkcry.exe"C:\Users\Admin\AppData\Local\Temp\linkcry.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1828