General
-
Target
Universal_Document_Converter_5_serial_maker.exe
-
Size
7.8MB
-
Sample
210722-vynvg128zx
-
MD5
86e73d16772de3ce51b73e13b5a6b77e
-
SHA1
d53670fe6d64ca9dc0f6b529075100fe839b50d0
-
SHA256
d0372d5e8b4b6df2203c57e839555373428b3710235d4103c16836f85e85da12
-
SHA512
5d8db3b72b4af6c3ce9fb6b59110bb7cd2e7df81a08f13062df1290cb765c87078365fac328bc8576b610514db4626a331cb6e311814dbd64cec4837f6e7b2e6
Static task
static1
Behavioral task
behavioral1
Sample
Universal_Document_Converter_5_serial_maker.exe
Resource
win7v20210410
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Targets
-
-
Target
Universal_Document_Converter_5_serial_maker.exe
-
Size
7.8MB
-
MD5
86e73d16772de3ce51b73e13b5a6b77e
-
SHA1
d53670fe6d64ca9dc0f6b529075100fe839b50d0
-
SHA256
d0372d5e8b4b6df2203c57e839555373428b3710235d4103c16836f85e85da12
-
SHA512
5d8db3b72b4af6c3ce9fb6b59110bb7cd2e7df81a08f13062df1290cb765c87078365fac328bc8576b610514db4626a331cb6e311814dbd64cec4837f6e7b2e6
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-