Analysis
-
max time kernel
15s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-07-2021 02:21
Static task
static1
Behavioral task
behavioral1
Sample
08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe
Resource
win10v20210408
General
-
Target
08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe
-
Size
252KB
-
MD5
997f26e502eb7d3c839b71ab5e77a647
-
SHA1
1c6aaec928e5bcaa07c7ce00a253b618fa7320ba
-
SHA256
08a6193d0afc12de32573390251740b4b1d7a1af0b19ef0cc3a12c078db76449
-
SHA512
4a748b90c92e85eb38962a0866b5f4c060ae4e905884b607b3710e53c30a0bdaa972a47fb71d71049148cbfa5c00d7264464bc64f1fd9fef68092bc3d5a68434
Malware Config
Extracted
azorult
http://soapstampingmachines.com/slider/data1/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exedescription pid process target process PID 4060 wrote to memory of 3492 4060 08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe wermgr.exe PID 4060 wrote to memory of 3492 4060 08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe wermgr.exe PID 4060 wrote to memory of 3492 4060 08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe wermgr.exe PID 4060 wrote to memory of 3492 4060 08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe wermgr.exe PID 4060 wrote to memory of 3492 4060 08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe"C:\Users\Admin\AppData\Local\Temp\08A6193D0AFC12DE32573390251740B4B1D7A1AF0B19E.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\System32\wermgr.exe"2⤵