azorult

General

Target

MAPILab.Toolbox.for.Outlook.v3.serial.number.maker.by.Inferno.zip
Size

5.2MB
Sample

210408-vhzgqzgxf6
MD5

10a4d84f1020e6d860584586313661e8
SHA1

bb9585101b23f1185d743960090a11fc966ceb03
SHA256

896f3017925e320d597433232a7a0801a99328cffb4dffdb5b9fbbc6ecc9804d
SHA512

5a47e06a33c2277ee30976d6ee147dd159e53978056c1c5df96020ba68ae155924660a4f94ea4db0ebe344058afe1dc7aa488b36c3e359428a06ef37a832a2bd

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

- Target
  
  MAPILab.Toolbox.for.Outlook.v3.serial.number.maker.by.Inferno.exe
- Size
  
  5.3MB
- MD5
  
  6aae8607d4af7e22fbab31ff012b33c4
- SHA1
  
  41acef92a283445cc572682dab4b1479def4f19a
- SHA256
  
  8cea838f523823cbb38419174c97d2d74ebb42614fc49ab1fe1e8d56fe898512
- SHA512
  
  6bc99d09ddcbba706e34e8e7c5f0c4c8bf9a317a3a2d0b87f15da2006cc377b5b3852d604f2fad4b92b988c7739e26381898894e32a96bd0d54f658c72f5a27a
Score

10^/10

azorult dcrat icedid vidar banker discovery evasion infostealer persistence rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Suspicious use of NtCreateProcessExOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1