Analysis
-
max time kernel
39s -
max time network
101s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-11-2020 14:12
Static task
static1
Behavioral task
behavioral1
Sample
blessme.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
blessme.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
blessme.exe
-
Size
168KB
-
MD5
f5965e74cd4f98349e4e006263075be6
-
SHA1
4b19d6b4d6c4c284a050aa1f01dabd575194a29c
-
SHA256
d648c31e655e998c47be5931bbaf9e861cc52a8ca38d1b0d667d53c294ec68c7
-
SHA512
7d42b11084f3227204d324435c8f71e75bc59904bf1e6c0853a6792b05322b410731218951b291f9300f758b32e66a57de7c39c09ad09cbf4dfa25d39544fa85
Score
10/10
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
blessme.exeblessme.exepid process 596 blessme.exe 1292 blessme.exe 1292 blessme.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
blessme.exedescription pid process target process PID 596 set thread context of 1292 596 blessme.exe blessme.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
blessme.exepid process 596 blessme.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
blessme.exepid process 596 blessme.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
blessme.exedescription pid process target process PID 596 wrote to memory of 1292 596 blessme.exe blessme.exe PID 596 wrote to memory of 1292 596 blessme.exe blessme.exe PID 596 wrote to memory of 1292 596 blessme.exe blessme.exe PID 596 wrote to memory of 1292 596 blessme.exe blessme.exe PID 596 wrote to memory of 1292 596 blessme.exe blessme.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\blessme.exe"C:\Users\Admin\AppData\Local\Temp\blessme.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\blessme.exe"C:\Users\Admin\AppData\Local\Temp\blessme.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger