Analysis
-
max time kernel
39s -
max time network
65s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 14:33
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#4734.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ#4734.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
RFQ#4734.exe
-
Size
693KB
-
MD5
023215924c23ad657d1548b49c5770bc
-
SHA1
990870961f821b677eb246dcfe0822b7b11b22b6
-
SHA256
0ce4f6e71e484cebce7f69ca5be2c4ad6af62a637c7aa1e303052e43e0355720
-
SHA512
2121e953ed3ca016d54b770b18c36e3c461c5aa58fc790ec60a9c7ef4aeac621f35197a61b4c9e83aef4e4941bb872255fe1713ab713a115eb47eca4604a8fcc
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://108.61.161.76/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ#4734.exedescription pid process target process PID 1456 set thread context of 1176 1456 RFQ#4734.exe RFQ#4734.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RFQ#4734.exepid process 1456 RFQ#4734.exe 1456 RFQ#4734.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RFQ#4734.exedescription pid process Token: SeDebugPrivilege 1456 RFQ#4734.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
RFQ#4734.exedescription pid process target process PID 1456 wrote to memory of 744 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 744 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 744 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe PID 1456 wrote to memory of 1176 1456 RFQ#4734.exe RFQ#4734.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ#4734.exe"C:\Users\Admin\AppData\Local\Temp\RFQ#4734.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ#4734.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\RFQ#4734.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1176-3-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1176-4-0x000000000041A1F8-mapping.dmp
-
memory/1176-5-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1456-2-0x0000000001600000-0x0000000001601000-memory.dmpFilesize
4KB