General

  • Target

    2d217fe9127be41ea113c369c2df13cec22a96e4bd305d1cd39e46ddce7397cf

  • Size

    2.0MB

  • Sample

    210509-2jg5xb7b3x

  • MD5

    af6b9c88a66dd4a98bbdaf839a661c3d

  • SHA1

    7e20c5bd05da94994a505a67b46ce2eb912ff796

  • SHA256

    2d217fe9127be41ea113c369c2df13cec22a96e4bd305d1cd39e46ddce7397cf

  • SHA512

    ba5f2900b0f4c200a1f9bc195d2e7df530a03a8626be9e11839f3e5fda928935cebf046d41bba326a72d11ce57d725d1e0a2b0a07755cb27e0756f4fddc98492

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Targets

    • Target

      2d217fe9127be41ea113c369c2df13cec22a96e4bd305d1cd39e46ddce7397cf

    • Size

      2.0MB

    • MD5

      af6b9c88a66dd4a98bbdaf839a661c3d

    • SHA1

      7e20c5bd05da94994a505a67b46ce2eb912ff796

    • SHA256

      2d217fe9127be41ea113c369c2df13cec22a96e4bd305d1cd39e46ddce7397cf

    • SHA512

      ba5f2900b0f4c200a1f9bc195d2e7df530a03a8626be9e11839f3e5fda928935cebf046d41bba326a72d11ce57d725d1e0a2b0a07755cb27e0756f4fddc98492

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Tasks