General
-
Target
210325-dg3jas2yaa_pw_infected.zip
-
Size
5.1MB
-
Sample
210424-mjwhvcyxmx
-
MD5
d9ebb4e8a7e9912fc1ba148b0b4edf99
-
SHA1
a6233c170efb861acd9152f81086285865f4e925
-
SHA256
cacf550216d6127087182b5b03d38f73d1271cca28477569ac5360f77047e610
-
SHA512
691485cb3bb7853d6784e3d0eb8615878e688332fe8fc04449cd94e799d3da80fac9bdd5c1d363b8225342ee8d52310eccf719ea52833f830e743a4b6c42feca
Static task
static1
Behavioral task
behavioral1
Sample
3d_Video_Player_4_5_serial_maker.exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
3d_Video_Player_4_5_serial_maker.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
3d_Video_Player_4_5_serial_maker.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
3d_Video_Player_4_5_serial_maker.exe
Resource
win10v20210408
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Targets
-
-
Target
3d_Video_Player_4_5_serial_maker.exe
-
Size
5.2MB
-
MD5
a51e2c143bcc14da09cd690bd69b9fa8
-
SHA1
46424a965a43c48c521effba1e47943d1392460b
-
SHA256
b22d997f753e1bbd9756d9fcc4e45aea3cd3e52d8de4acd6c4a3140f742bac47
-
SHA512
553e72694cca748f59e3bb3c1c6e13e5d9defdf831883a250d5807cf5cf34a27350cdf38e6cd117515fee08fdd19238df0084055bb323e0ba5babd471e0bed8e
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-