General
-
Target
e11fa56349781d01080d0baba6367758.exe
-
Size
24.0MB
-
Sample
220108-m7ex9achh3
-
MD5
e11fa56349781d01080d0baba6367758
-
SHA1
6214bdca82fa0e54a75de181fd1ed95dffdaf35a
-
SHA256
6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929
-
SHA512
1e99d322bb33346db00d9ba4ac0a6deb19830b02d3d4f98aee5461b2bbf99d02831b1079daed9d44307c261084a6864a4242a352aa12590b265941002de65f64
Static task
static1
Behavioral task
behavioral1
Sample
e11fa56349781d01080d0baba6367758.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e11fa56349781d01080d0baba6367758.exe
Resource
win10-en-20211208
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
njrat
0.7d
HacKed
172.94.18.243:3001
79402713f13d898b624bf5785b7dd5e5
-
reg_key
79402713f13d898b624bf5785b7dd5e5
-
splitter
|'|'|
Targets
-
-
Target
e11fa56349781d01080d0baba6367758.exe
-
Size
24.0MB
-
MD5
e11fa56349781d01080d0baba6367758
-
SHA1
6214bdca82fa0e54a75de181fd1ed95dffdaf35a
-
SHA256
6fe04c8791ef39d3256b229ecb5e574d450e8c0e59300c32658e940880aa2929
-
SHA512
1e99d322bb33346db00d9ba4ac0a6deb19830b02d3d4f98aee5461b2bbf99d02831b1079daed9d44307c261084a6864a4242a352aa12590b265941002de65f64
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner Payload
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-