Analysis
-
max time kernel
16s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 15:40
Static task
static1
Behavioral task
behavioral1
Sample
test2.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
test2.exe
Resource
win10v20201028
General
-
Target
test2.exe
-
Size
833KB
-
MD5
9b0cba63f37783d933cd86fc96f2aa07
-
SHA1
b5a93abac6411cc261b9f3d484fec192e136338c
-
SHA256
bd77c6cc5e497fdcbb12fa2efa06abd2f39b58487cbe72f2191bb9e4c4640c31
-
SHA512
473926d8f8d6e8127fca322a850ae988fd9bf286719d17936b7bd52b221c4d8e6eb4c15b785a2bc0b1d39bb2c24cac7901e65503b94d7e0d3e710fbe7cce9be1
Malware Config
Extracted
azorult
http://main.kebleflooring.co.uk/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
backup.exerar_temp1.exepid process 1620 backup.exe 2664 rar_temp1.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
test2.exedescription pid process target process PID 496 wrote to memory of 1620 496 test2.exe backup.exe PID 496 wrote to memory of 1620 496 test2.exe backup.exe PID 496 wrote to memory of 1620 496 test2.exe backup.exe PID 496 wrote to memory of 2664 496 test2.exe rar_temp1.exe PID 496 wrote to memory of 2664 496 test2.exe rar_temp1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\test2.exe"C:\Users\Admin\AppData\Local\Temp\test2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\backup.exeC:\Users\Admin\AppData\Local\backup.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\rar_temp1.exeC:\Users\Admin\AppData\Local\rar_temp1.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\backup.exeMD5
49fad1b9e61959fad1566eeaac72eb33
SHA1f5d128c09a53bf4ce97789e67bf8197d6d44f118
SHA25687f4e1cbc145e642d7c69f6935ef9be74475e76827de585561218f96350e6fed
SHA5122fcb2c34e5e5c60060cec00a3396500f2e0df9cd871cc36474f2e1c8b9e6e6dce066077b3ec1e11e2b409c4f2247588fcb5099c4369fcd84d5d232ac795ffdeb
-
C:\Users\Admin\AppData\Local\backup.exeMD5
49fad1b9e61959fad1566eeaac72eb33
SHA1f5d128c09a53bf4ce97789e67bf8197d6d44f118
SHA25687f4e1cbc145e642d7c69f6935ef9be74475e76827de585561218f96350e6fed
SHA5122fcb2c34e5e5c60060cec00a3396500f2e0df9cd871cc36474f2e1c8b9e6e6dce066077b3ec1e11e2b409c4f2247588fcb5099c4369fcd84d5d232ac795ffdeb
-
C:\Users\Admin\AppData\Local\rar_temp1.exeMD5
2aec40fc2e52200343e4f67f654c67ed
SHA1bc9897911617a27c9a5c150a8448cfad02017cf3
SHA256224a640ec25e14f8cf70b3e1a28b8e9039835d1caaf824df9935d96f0eca4cd7
SHA512ae166620dd905eb5b4dfd4dd6b4f1cb385f5e7a5e736b8cc9e94aa89e2d594462b4e139fa723cdc4c56675cfbe1c548cc6a156363e13550ab0e598ad158bfb07
-
C:\Users\Admin\AppData\Local\rar_temp1.exeMD5
2aec40fc2e52200343e4f67f654c67ed
SHA1bc9897911617a27c9a5c150a8448cfad02017cf3
SHA256224a640ec25e14f8cf70b3e1a28b8e9039835d1caaf824df9935d96f0eca4cd7
SHA512ae166620dd905eb5b4dfd4dd6b4f1cb385f5e7a5e736b8cc9e94aa89e2d594462b4e139fa723cdc4c56675cfbe1c548cc6a156363e13550ab0e598ad158bfb07
-
memory/1620-2-0x0000000000000000-mapping.dmp
-
memory/2664-5-0x0000000000000000-mapping.dmp