General

  • Target

    5f955585f209598a9d7069fcdae436ac263121eace28f571b036b3730ee25c0f

  • Size

    344KB

  • Sample

    220520-2gvy4sader

  • MD5

    0bfc806b909165a96c8c2be29e1bcbf0

  • SHA1

    eb560e083775c27437aac119e392bd5bfdb07e2d

  • SHA256

    5f955585f209598a9d7069fcdae436ac263121eace28f571b036b3730ee25c0f

  • SHA512

    438274dc7bc20e96383baf92e943d8e1c7a3bf49cc38c9824681113e293767c81346668cb77ba00c98020bd2af30245076d2508e854d44c93bc6405ea4ed4f76

Malware Config

Extracted

Family

azorult

C2

https://johnsonmeds.com/wp-admin/css/index.php

Targets

    • Target

      IMG_626166155117636637099388377365355343431DT.exe

    • Size

      599KB

    • MD5

      b58750b262ee79c332c554bc004702b2

    • SHA1

      7f4a16ea0c530b6cb136efb2027632b624ca013d

    • SHA256

      84c63913782658c1a3fe4c7c7f7bb9c2e09591ece6b7018ec3d48c7282582068

    • SHA512

      efb1ff89773ca35a5bfc9bf7472e7e8495870eec97905e2a17220a5e2b58371ff86ef77ed5f37f32d752fe4c679c1c3b03e79d62963e8906749db01a0b28f2ad

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks