gunzipped.exe

General
Target

gunzipped.exe

Filesize

693KB

Completed

21-04-2021 19:51

Score
10 /10
MD5

289691163ea5795a930703689eb1b3b9

SHA1

46dc959dc6848a44d6930d00ad2a9e60db08e47b

SHA256

ba5786cfe255f158264fabd0b0cbf90b6f96ddd230a5fe82ca0c551d420f95be

Malware Config

Extracted

Family azorult
C2

http://31.210.20.121/index.php

Signatures 3

Filter: none

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Suspicious use of SetThreadContext
    gunzipped.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1420 set thread context of 6441420gunzipped.exegunzipped.exe
  • Suspicious use of WriteProcessMemory
    gunzipped.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
    PID 1420 wrote to memory of 6441420gunzipped.exegunzipped.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
    "C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\gunzipped.exe
      "{path}"
      PID:644
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • memory/644-63-0x000000000041A1F8-mapping.dmp

                          • memory/644-62-0x0000000000400000-0x0000000000420000-memory.dmp

                          • memory/644-66-0x0000000000400000-0x0000000000420000-memory.dmp

                          • memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

                          • memory/1420-61-0x00000000008A0000-0x00000000008A1000-memory.dmp

                          • memory/1420-65-0x00000000008A1000-0x00000000008A2000-memory.dmp