Overview

overview

10

Static

static

1

ZiraatTRK65757.exe

windows7_x64

10

ZiraatTRK65757.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ZiraatTRK65757.r19

  • Size

    258KB

  • Sample

    210405-h75tx6tllj

  • MD5

    5b25e6d3f01f0fd0cca0aa1bc070ccb8

  • SHA1

    fd50c637271cefeca0a638fdd542cd43dd423253

  • SHA256

    089f6d81466e46e1ddd24e5c318a1515179a08917b9dae0609a4246caa582f2a

  • SHA512

    367cf802a86350a52a412c73d8caf42832f857c2df0c2b955fa5a05fcddff780029467d8b7480e4cce4e34b3edad2922ae2a973d264f7cf73016e1c8f0b495df

Score
10/10
azorultdiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://lexusbiscuit.com/OiuBn/index.php

Targets

    • Target

      ZiraatTRK65757.exe

    • Size

      376KB

    • MD5

      bc616570090677f76b2dae8b3674f0a1

    • SHA1

      a6372f565cf59724840400bb7e52636f69cc65a5

    • SHA256

      92c08df7ebe01c1fc5509841a14b63e6a552b63f545282ccfa844a970ad7ee68

    • SHA512

      8c34f4b49f96919d8f2aa4b0f1796978f48c8cb4ef0d73994bed3e71b17df7cac552c57874503c48d7bb444cad3074f9b1cf5acdb0f994bdb54b38704acb2465

    Score
    10/10
    azorultdiscoveryinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

5
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

5
T1005

Exfiltration

Command and Control

Impact

Tasks