Overview

overview

10

Static

static

SOA_Novemb...0.xlsx

windows7_x64

10

SOA_Novemb...0.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SOA_November_December_2020_49588300.xlsx

  • Size

    2.2MB

  • Sample

    210111-n9t3q7tgte

  • MD5

    859dfc3c1068c8a6c3a2f0f8a610ec4b

  • SHA1

    731473375b7cc5b3dcdeb23ca709f4af62b86b80

  • SHA256

    c59a9ba230e797388ebe438115111dc3b6136f8de5504edfde926ad83e4fc5dc

  • SHA512

    45a0ab1899e3c39f2b4bafcdb74a7eb200e85c9729559863120d9124dd578ba322f90399737a2618f28f0f985a2e0b42c670e59650fb44360c473965567cb43f

Score
10/10
azorultdiscoveryinfostealerspywaretrojan

Malware Config

Extracted

Family

azorult

C2

http://al-ifah.com/PL342/index.php

Targets

    • Target

      SOA_November_December_2020_49588300.xlsx

    • Size

      2.2MB

    • MD5

      859dfc3c1068c8a6c3a2f0f8a610ec4b

    • SHA1

      731473375b7cc5b3dcdeb23ca709f4af62b86b80

    • SHA256

      c59a9ba230e797388ebe438115111dc3b6136f8de5504edfde926ad83e4fc5dc

    • SHA512

      45a0ab1899e3c39f2b4bafcdb74a7eb200e85c9729559863120d9124dd578ba322f90399737a2618f28f0f985a2e0b42c670e59650fb44360c473965567cb43f

    Score
    10/10
    azorultdiscoveryinfostealerspywaretrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Uses the VBS compiler for execution

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • JavaScript code in executable

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Tasks