General

  • Target

    Purchase OrderPDF.exe

  • Size

    826KB

  • Sample

    210115-bs4qh3wy22

  • MD5

    4b1703f0fedf97b6fd5ed404a790236c

  • SHA1

    f9712dae7825a77bd33ed623ca335378a161c502

  • SHA256

    788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0

  • SHA512

    4c874f3e6288e7081cc84286aad67b8b344050d9c6559e0f05b676c6e75a9c8dca3b6cc9383bbf3946189d7eafdec078f25b162d0f63787ae419def7221a7da0

Malware Config

Extracted

Family

azorult

C2

http://al-ifah.com/PL341/index.php

Targets

    • Target

      Purchase OrderPDF.exe

    • Size

      826KB

    • MD5

      4b1703f0fedf97b6fd5ed404a790236c

    • SHA1

      f9712dae7825a77bd33ed623ca335378a161c502

    • SHA256

      788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0

    • SHA512

      4c874f3e6288e7081cc84286aad67b8b344050d9c6559e0f05b676c6e75a9c8dca3b6cc9383bbf3946189d7eafdec078f25b162d0f63787ae419def7221a7da0

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • JavaScript code in executable

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

4
T1005

Tasks