Overview

overview

10

Static

static

PI-Z-25- r...1.xlsx

windows7_x64

10

PI-Z-25- r...1.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PI-Z-25- rev. 1 and 22021.xlsx

  • Size

    2.1MB

  • Sample

    210104-nzg1d1cq66

  • MD5

    bd6a8e4e696c524d7397f301f4c4f37e

  • SHA1

    9333dddf41711dfaf062dae202a99ae5ac5bba02

  • SHA256

    c79c02b85695bb70771ae4c87fa93909fdf2c884d5472b69b9097d7ac2f30c1c

  • SHA512

    033424571f4e59e22ae71c518d71f45ef3d6dd21c250a114134e9fb9c8a7b97e53a9a4c55df93491a455a8c36226678a39bbbc8149001e64ff788d20a0e14be5

Score
10/10
azorultdiscoveryinfostealerspywaretrojan

Malware Config

Extracted

Family

azorult

C2

http://wjnigh.myzen.co.uk/azo2/PL341/index.php

Targets

    • Target

      PI-Z-25- rev. 1 and 22021.xlsx

    • Size

      2.1MB

    • MD5

      bd6a8e4e696c524d7397f301f4c4f37e

    • SHA1

      9333dddf41711dfaf062dae202a99ae5ac5bba02

    • SHA256

      c79c02b85695bb70771ae4c87fa93909fdf2c884d5472b69b9097d7ac2f30c1c

    • SHA512

      033424571f4e59e22ae71c518d71f45ef3d6dd21c250a114134e9fb9c8a7b97e53a9a4c55df93491a455a8c36226678a39bbbc8149001e64ff788d20a0e14be5

    Score
    10/10
    azorultdiscoveryinfostealerspywaretrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • JavaScript code in executable

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Tasks