General
-
Target
ELECTRIC LINE DOWNHOLE LOGGING SERVICES FOR PC(T)SB PRODUCTION WELLS.img
-
Size
3.8MB
-
Sample
210105-e8tjg1jd7x
-
MD5
843d30edf757bf0c3b90ff94c1783322
-
SHA1
b40b32635a45f3a86cc9de1b4c983c854e5dbe8f
-
SHA256
c5d1c57f289c7f9f692ad7971b08ec1392082eda028916ff33c27da1c8c3326b
-
SHA512
82b4fdb76e22a3f08d923915b8a0cfcbfbed7f96a668ca78c4deec53657fdf8c9d3039405db42bf569c947bcbd666db2e387001e797e3ca695f4174528c72cf1
Static task
static1
Behavioral task
behavioral1
Sample
CLIENT_C.EXE
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CLIENT_C.EXE
Resource
win10v20201028
Behavioral task
behavioral3
Sample
NON_DISC.EXE
Resource
win7v20201028
Behavioral task
behavioral4
Sample
NON_DISC.EXE
Resource
win10v20201028
Behavioral task
behavioral5
Sample
TENDER_N.EXE
Resource
win7v20201028
Behavioral task
behavioral6
Sample
TENDER_N.EXE
Resource
win10v20201028
Malware Config
Extracted
azorult
http://eurodata1988.it/asy/PL341/index.php
Extracted
asyncrat
0.5.7B
hpdndbnb.duckdns.org:3040
hpdndbnb.duckdns.org:2020
hpdndbnb.duckdns.org:4040
gpmaw.duckdns.org:3040
gpmaw.duckdns.org:2020
gpmaw.duckdns.org:4040
AsyncMutex_6SI8OkPnk
-
aes_key
8pSblfEIKGwvU0W68bmEKGa3zB2hqd4t
-
anti_detection
false
-
autorun
true
-
bdos
false
-
delay
Default
-
host
hpdndbnb.duckdns.org,gpmaw.duckdns.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
3040,2020,4040
-
version
0.5.7B
Extracted
revengerat
NyanCatRevenge
hpdndbnb.duckdns.org:2404
10eef43648e54083
Targets
-
-
Target
CLIENT_C.EXE
-
Size
1.6MB
-
MD5
9ca10ebf8150fc630b901be36a1bec85
-
SHA1
f1cdd2674307a97af387016cb6f42a1419c403a6
-
SHA256
49024e33c5bc92bb5751ba5d1c00fcfe16f7ab7663550c19a94fdb9d841c8879
-
SHA512
521656149dd6498d9050640c7d2f1da627e788228527e8d6796493a539ab3eb3cfc6779c2237dc5cab4343438725cbe78d3b8d6376ce3c952eb07eb36a305c2c
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Drops startup file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
NON_DISC.EXE
-
Size
948KB
-
MD5
5a26073186d5cd797817ab71676082c1
-
SHA1
eba609ba96514ea94b9bf91f24ecf4b450c3faaf
-
SHA256
52bd75e49e5ebcea5ff717f9041b9971c641f353d5c024581eaed881d499c396
-
SHA512
79c9ec6a3638a0ae424bf2bb54ffc8e33de143360460c8cf7effc839020cb2479ffca43ba472577dc1a77d72fc3c19264aaa2d975ddfb282ece631579a3f66e1
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Async RAT payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
-
-
Target
TENDER_N.EXE
-
Size
742KB
-
MD5
868ca3e861260b5080c62eda3880c425
-
SHA1
8d1dd70950daa651261a429baa0f63332bc690ca
-
SHA256
c125ad338e09169f93f9ba82a8eb533619ae2087dd2a84563da1c6a3ef68e3d1
-
SHA512
5ac65a3230f465a2fccad3101261500a2fe923d6ee67990e235b255a8f85529250a93fdbac5a304c93207605f8186bbd4500fb8febb6ffd0e8a8e44b159b19af
Score10/10-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-