General

  • Target

    788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

  • Size

    826KB

  • Sample

    210115-fg7c7ejbl6

  • MD5

    4b1703f0fedf97b6fd5ed404a790236c

  • SHA1

    f9712dae7825a77bd33ed623ca335378a161c502

  • SHA256

    788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0

  • SHA512

    4c874f3e6288e7081cc84286aad67b8b344050d9c6559e0f05b676c6e75a9c8dca3b6cc9383bbf3946189d7eafdec078f25b162d0f63787ae419def7221a7da0

Malware Config

Extracted

Family

azorult

C2

http://al-ifah.com/PL341/index.php

Targets

    • Target

      788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

    • Size

      826KB

    • MD5

      4b1703f0fedf97b6fd5ed404a790236c

    • SHA1

      f9712dae7825a77bd33ed623ca335378a161c502

    • SHA256

      788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0

    • SHA512

      4c874f3e6288e7081cc84286aad67b8b344050d9c6559e0f05b676c6e75a9c8dca3b6cc9383bbf3946189d7eafdec078f25b162d0f63787ae419def7221a7da0

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Tasks