azorult

Resubmissions

13-10-2021 21:12

211013-z2l6lafbbq 10

12-10-2021 17:28

211012-v17npacgh7 9

12-10-2021 05:13

211012-fwnmpabccr 9

Sharing

Copy URL

Twitter E-mail

General

Target

Paladin.exe
Size

23.4MB
Sample

211013-z2l6lafbbq
MD5

787949053739a220802c108f4a2d8828
SHA1

2f0d0e8abbde55a908b31330d8f68a890f8accbc
SHA256

a08dee106fb19e3da540f8d0b7e6c0b1ea4ff443e3cc12bc81691c24b0ca993e
SHA512

91c9b21c5ad29c0fa7074a4515a0e88fbedf7f93f9916c5a057157f5df7e11ebb8b99a11c52f87a641e400025ad051b4c0b8e0225e175c4d425d770bafd5f722

Malware Config

Extracted

Family

redline

Botnet

she

135.181.129.119:4805

Extracted

Family

redline

Botnet

ANI

194.104.136.5:46013

Extracted

Family

redline

Botnet

media13

91.121.67.60:2151

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

vidar

Version

41.3

Botnet

933

https://mas.to/@oleg98

Attributes

profile_id
933

Targets

- Target
  
  Paladin.exe
- Size
  
  23.4MB
- MD5
  
  787949053739a220802c108f4a2d8828
- SHA1
  
  2f0d0e8abbde55a908b31330d8f68a890f8accbc
- SHA256
  
  a08dee106fb19e3da540f8d0b7e6c0b1ea4ff443e3cc12bc81691c24b0ca993e
- SHA512
  
  91c9b21c5ad29c0fa7074a4515a0e88fbedf7f93f9916c5a057157f5df7e11ebb8b99a11c52f87a641e400025ad051b4c0b8e0225e175c4d425d770bafd5f722
Score

10^/10

azorult redline smokeloader socelars vidar 933 ani media13 she backdoor microsoft discovery evasion infostealer persistence phishing spyware stealer suricata themida trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Registers COM server for autorun
  persistence
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
  suricata: ET MALWARE Fake Software Download Redirect Leading to Malware M3
  suricata
- suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata: ET MALWARE GCleaner Downloader Activity M5
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
  suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
  suricata
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Vidar Stealer
  stealer
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops Chrome extension
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1