General
-
Target
temp5.bin.zip
-
Size
10.2MB
-
Sample
210313-gwxnjbpyfn
-
MD5
c3ec389bd13c4ce6ffdf86dab10acfe4
-
SHA1
f97eae7acca9a7aaeed84bb4d48e0d08c0e847bc
-
SHA256
8c5e1feed179e6696f0321df6231197d1b46bb51f276e0a7e74b815669ed0b30
-
SHA512
34fcc1c01985889b4b81183a92134a41be7cace8aa0941bf2bcc211b6512330fdf942705cdd1d45a2e471f45978852815fca6757ab0e1ecc1e273ab7418a61bd
Static task
static1
Behavioral task
behavioral1
Sample
temp5.bin.exe
Resource
win7v20201028
Malware Config
Extracted
Protocol: ftp- Host:
109.248.203.81 - Port:
21 - Username:
alex - Password:
easypassword
Extracted
azorult
http://195.245.112.115/index.php
Targets
-
-
Target
temp5.bin
-
Size
10.6MB
-
MD5
5e25abc3a3ad181d2213e47fa36c4a37
-
SHA1
ba365097003860c8fb9d332f377e2f8103d220e0
-
SHA256
3e385633fc19035dadecf79176a763fe675429b611dac5af2775dd3edca23ab9
-
SHA512
676596d21cab10389f47a3153d53bbd36b161c77875a4e4aa976032770cb4ec7653c521aaeda98ab4da7777e49f426f4019298d5fc4ed8be2f257e9d0868d681
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies visiblity of hidden/system files in Explorer
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1