Analysis
-
max time kernel
121s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-10-2021 21:26
Static task
static1
Behavioral task
behavioral1
Sample
60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe
Resource
win10v20210408
General
-
Target
60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe
-
Size
443KB
-
MD5
21c891db70bc3aa3ec9d015b0fc12692
-
SHA1
ae592b5a328129f2ec0531dd87c6f28f87b39567
-
SHA256
60c3f88e80bd7604779b3653fe2bc26ecde37dc1177d7528c43c3fe843d0d5c6
-
SHA512
1e95aff4ff14ca155aa2b7625e2b95f787a6098c08e2d48ac39c8ba398c92f40d4cfa343e4ed6c71716cfca827bd4eea5c3aa1db12f7f9a04175b796bf9dfaa8
Malware Config
Extracted
azorult
http://casabayshops.co/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M16
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M16
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exedescription pid process target process PID 4648 set thread context of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exedescription pid process target process PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe PID 4648 wrote to memory of 3364 4648 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe 60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe"C:\Users\Admin\AppData\Local\Temp\60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe"C:\Users\Admin\AppData\Local\Temp\60C3F88E80BD7604779B3653FE2BC26ECDE37DC1177D7.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3364-115-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3364-116-0x000000000041A1F8-mapping.dmp
-
memory/3364-117-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4648-114-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB