General

  • Target

    MUN_2207.xlsb

  • Size

    38KB

  • Sample

    210722-mt8hf3t9ns

  • MD5

    302b089cdad737572251ed036c828168

  • SHA1

    a22de587007bf85f3998b4cdde2e794409ea0c0b

  • SHA256

    b4f58a5e9cc1c3b94f848aeb3830e9e28a38ec98cc6ec3337661d7b17c08e358

  • SHA512

    d52c79b2040d4028a31ca83304a23650e095c5efda67c6e3f0039d0b5bf9c9120825f4d4e89cad2290f582f6f294de3dfd003a0a91ec3eb6b85610dbfceedf25

Malware Config

Extracted

Family

azorult

C2

http://itthonfiatalon.hu/temp/reo/index.php

Targets

    • Target

      MUN_2207.xlsb

    • Size

      38KB

    • MD5

      302b089cdad737572251ed036c828168

    • SHA1

      a22de587007bf85f3998b4cdde2e794409ea0c0b

    • SHA256

      b4f58a5e9cc1c3b94f848aeb3830e9e28a38ec98cc6ec3337661d7b17c08e358

    • SHA512

      d52c79b2040d4028a31ca83304a23650e095c5efda67c6e3f0039d0b5bf9c9120825f4d4e89cad2290f582f6f294de3dfd003a0a91ec3eb6b85610dbfceedf25

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks