Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20/05/2022, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
NSL SUGARS LTD UNIT.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NSL SUGARS LTD UNIT.exe
Resource
win10v2004-20220414-en
General
-
Target
NSL SUGARS LTD UNIT.exe
-
Size
1.2MB
-
MD5
dd02d84951a6b48b98f08abd3f79a278
-
SHA1
d9b39d7fda6d314b4c49b5d5dc9e634ee14448df
-
SHA256
7cd0f0947f0485f250747fe2e8eee845d912830239a949ac721335824ee03365
-
SHA512
af0d3bd698a0b06e9a28382126e3599815ab501d1f61ff2492c8777ff00b98633f1264ecda266244a9b8ffccf20cf32ebab1eba11116ca2461d31c0a8aa4c71c
Malware Config
Extracted
azorult
http://49.12.98.113/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
-
Suspicious use of SetThreadContext 15 IoCs
description pid Process procid_target PID 1348 set thread context of 904 1348 NSL SUGARS LTD UNIT.exe 28 PID 1348 set thread context of 1072 1348 NSL SUGARS LTD UNIT.exe 31 PID 1348 set thread context of 1892 1348 NSL SUGARS LTD UNIT.exe 32 PID 1348 set thread context of 1820 1348 NSL SUGARS LTD UNIT.exe 33 PID 1348 set thread context of 612 1348 NSL SUGARS LTD UNIT.exe 34 PID 1348 set thread context of 1704 1348 NSL SUGARS LTD UNIT.exe 35 PID 1348 set thread context of 1388 1348 NSL SUGARS LTD UNIT.exe 36 PID 1348 set thread context of 1428 1348 NSL SUGARS LTD UNIT.exe 37 PID 1348 set thread context of 1884 1348 NSL SUGARS LTD UNIT.exe 38 PID 1348 set thread context of 316 1348 NSL SUGARS LTD UNIT.exe 39 PID 1348 set thread context of 1728 1348 NSL SUGARS LTD UNIT.exe 40 PID 1348 set thread context of 1936 1348 NSL SUGARS LTD UNIT.exe 41 PID 1348 set thread context of 1128 1348 NSL SUGARS LTD UNIT.exe 42 PID 1348 set thread context of 1240 1348 NSL SUGARS LTD UNIT.exe 43 PID 1348 set thread context of 1648 1348 NSL SUGARS LTD UNIT.exe 44 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe 1348 NSL SUGARS LTD UNIT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1348 wrote to memory of 904 1348 NSL SUGARS LTD UNIT.exe 28 PID 1348 wrote to memory of 904 1348 NSL SUGARS LTD UNIT.exe 28 PID 1348 wrote to memory of 904 1348 NSL SUGARS LTD UNIT.exe 28 PID 1348 wrote to memory of 904 1348 NSL SUGARS LTD UNIT.exe 28 PID 1348 wrote to memory of 904 1348 NSL SUGARS LTD UNIT.exe 28 PID 1348 wrote to memory of 904 1348 NSL SUGARS LTD UNIT.exe 28 PID 1348 wrote to memory of 1072 1348 NSL SUGARS LTD UNIT.exe 31 PID 1348 wrote to memory of 1072 1348 NSL SUGARS LTD UNIT.exe 31 PID 1348 wrote to memory of 1072 1348 NSL SUGARS LTD UNIT.exe 31 PID 1348 wrote to memory of 1072 1348 NSL SUGARS LTD UNIT.exe 31 PID 1348 wrote to memory of 1072 1348 NSL SUGARS LTD UNIT.exe 31 PID 1348 wrote to memory of 1072 1348 NSL SUGARS LTD UNIT.exe 31 PID 1348 wrote to memory of 1892 1348 NSL SUGARS LTD UNIT.exe 32 PID 1348 wrote to memory of 1892 1348 NSL SUGARS LTD UNIT.exe 32 PID 1348 wrote to memory of 1892 1348 NSL SUGARS LTD UNIT.exe 32 PID 1348 wrote to memory of 1892 1348 NSL SUGARS LTD UNIT.exe 32 PID 1348 wrote to memory of 1892 1348 NSL SUGARS LTD UNIT.exe 32 PID 1348 wrote to memory of 1892 1348 NSL SUGARS LTD UNIT.exe 32 PID 1348 wrote to memory of 1820 1348 NSL SUGARS LTD UNIT.exe 33 PID 1348 wrote to memory of 1820 1348 NSL SUGARS LTD UNIT.exe 33 PID 1348 wrote to memory of 1820 1348 NSL SUGARS LTD UNIT.exe 33 PID 1348 wrote to memory of 1820 1348 NSL SUGARS LTD UNIT.exe 33 PID 1348 wrote to memory of 1820 1348 NSL SUGARS LTD UNIT.exe 33 PID 1348 wrote to memory of 1820 1348 NSL SUGARS LTD UNIT.exe 33 PID 1348 wrote to memory of 612 1348 NSL SUGARS LTD UNIT.exe 34 PID 1348 wrote to memory of 612 1348 NSL SUGARS LTD UNIT.exe 34 PID 1348 wrote to memory of 612 1348 NSL SUGARS LTD UNIT.exe 34 PID 1348 wrote to memory of 612 1348 NSL SUGARS LTD UNIT.exe 34 PID 1348 wrote to memory of 612 1348 NSL SUGARS LTD UNIT.exe 34 PID 1348 wrote to memory of 612 1348 NSL SUGARS LTD UNIT.exe 34 PID 1348 wrote to memory of 1704 1348 NSL SUGARS LTD UNIT.exe 35 PID 1348 wrote to memory of 1704 1348 NSL SUGARS LTD UNIT.exe 35 PID 1348 wrote to memory of 1704 1348 NSL SUGARS LTD UNIT.exe 35 PID 1348 wrote to memory of 1704 1348 NSL SUGARS LTD UNIT.exe 35 PID 1348 wrote to memory of 1704 1348 NSL SUGARS LTD UNIT.exe 35 PID 1348 wrote to memory of 1704 1348 NSL SUGARS LTD UNIT.exe 35 PID 1348 wrote to memory of 1388 1348 NSL SUGARS LTD UNIT.exe 36 PID 1348 wrote to memory of 1388 1348 NSL SUGARS LTD UNIT.exe 36 PID 1348 wrote to memory of 1388 1348 NSL SUGARS LTD UNIT.exe 36 PID 1348 wrote to memory of 1388 1348 NSL SUGARS LTD UNIT.exe 36 PID 1348 wrote to memory of 1388 1348 NSL SUGARS LTD UNIT.exe 36 PID 1348 wrote to memory of 1388 1348 NSL SUGARS LTD UNIT.exe 36 PID 1348 wrote to memory of 1428 1348 NSL SUGARS LTD UNIT.exe 37 PID 1348 wrote to memory of 1428 1348 NSL SUGARS LTD UNIT.exe 37 PID 1348 wrote to memory of 1428 1348 NSL SUGARS LTD UNIT.exe 37 PID 1348 wrote to memory of 1428 1348 NSL SUGARS LTD UNIT.exe 37 PID 1348 wrote to memory of 1428 1348 NSL SUGARS LTD UNIT.exe 37 PID 1348 wrote to memory of 1428 1348 NSL SUGARS LTD UNIT.exe 37 PID 1348 wrote to memory of 1884 1348 NSL SUGARS LTD UNIT.exe 38 PID 1348 wrote to memory of 1884 1348 NSL SUGARS LTD UNIT.exe 38 PID 1348 wrote to memory of 1884 1348 NSL SUGARS LTD UNIT.exe 38 PID 1348 wrote to memory of 1884 1348 NSL SUGARS LTD UNIT.exe 38 PID 1348 wrote to memory of 1884 1348 NSL SUGARS LTD UNIT.exe 38 PID 1348 wrote to memory of 1884 1348 NSL SUGARS LTD UNIT.exe 38 PID 1348 wrote to memory of 316 1348 NSL SUGARS LTD UNIT.exe 39 PID 1348 wrote to memory of 316 1348 NSL SUGARS LTD UNIT.exe 39 PID 1348 wrote to memory of 316 1348 NSL SUGARS LTD UNIT.exe 39 PID 1348 wrote to memory of 316 1348 NSL SUGARS LTD UNIT.exe 39 PID 1348 wrote to memory of 316 1348 NSL SUGARS LTD UNIT.exe 39 PID 1348 wrote to memory of 316 1348 NSL SUGARS LTD UNIT.exe 39 PID 1348 wrote to memory of 1728 1348 NSL SUGARS LTD UNIT.exe 40 PID 1348 wrote to memory of 1728 1348 NSL SUGARS LTD UNIT.exe 40 PID 1348 wrote to memory of 1728 1348 NSL SUGARS LTD UNIT.exe 40 PID 1348 wrote to memory of 1728 1348 NSL SUGARS LTD UNIT.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:904
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1820
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1428
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:316
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1240
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1648
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD5e7f1d1f614397da9b9e557f8f2eaead6
SHA17e0651e2c7386bcb78b851805c567e0e68322004
SHA256ff46e5bcaca80a46b9295998ba083238af55243107728168f469732bb0fd6639
SHA512b70ac9e3f6f12bb9fcb7ba5cee5ebdf7048dc04a8e63c14fd81ab3983075f69ecea8f0cc6520f9f7b19eac4a80e3a3696caa3a7a4de48cfdcb9cee53eff9cf92
-
Filesize
103B
MD5c6c9c9062caf4a46e77102263e343d56
SHA1171979bfe35857c1608e34c3e98b08a158a61520
SHA256b97c5d1f09f4475e8fb390c2ebef4291d4727551f8a71a7f298e90d31899bb20
SHA512477022f8e0692c9e2a96676fd498c4cebf8d0669b1aa2af8f0e768f19a4e7bbc6177941d9de0ecd1099895154aa4fc425197bc18032d7e73666592c6dfd8d0c3
-
Filesize
103B
MD52ea62a472e4b845b629ef6e3999fead1
SHA16bb6705594236f2817f0017b7f2e38221d32c9c0
SHA256821969c5c8dfc6918c424aa38db5675c3d2efb0ea2f1883616ced6aee9f9f546
SHA512500da45ede07ba2cfc4f05097c1c352b525ac353b9b6fc7c925f6c76d83cb3b029275cb692dc36e9995aa7895767dfb7da53fc6cf3e11e282554f977351c39e9
-
Filesize
105B
MD5b5658f0be2a5b0d6ddf728389b93c014
SHA1d897cf2c1ab44ebf49020bcec7458c5c2595728a
SHA256881ca64436a9bd8d2ef6614a0ed22aef93f1ba1969e3b87225aa8b7250d30a73
SHA512eb463a2a0e116016354ad82ef7cfb7100213774a58994d127ba98811a94b54c76373415b9bbf333fa346b640900d3064c0c0dc401ee1ea4e050e59fc07b65383
-
Filesize
102B
MD591b768cade3d39f4af5673810bedbb58
SHA1f205262262b304bcc12cf69996ccb16b051ef161
SHA25653a1143fb41cca9271dd17490163ac93049bd04d6a86812bacb87bb294811dd8
SHA512d2daa04c1423dc83e079fe8ef378e9ca08eda7623df3f23e1423b64fe8af6f0ac21fa61cf085d933d067d17fd9eba6873a9f74e8bfe8e97fc2259dbc3505c485
-
Filesize
103B
MD5c688506438589077e98dcc2aaa3ab5b8
SHA11b6d3e4ea2da3d6d918eb61c80a9110180154bce
SHA256b115f3cd132e9f8f6923802bf001c78d2da7ef126b774fd559f1de2cd8bd1dd8
SHA5126cb0fd9e8ffe5d06e08d374b5a84ff8250dba9c0f1c5a7b6d34bc774b375bf8ecd136475fe29e0f92a57ca1e14590e0dda1b3a778c3c630c52c32f6f0120588c
-
Filesize
105B
MD5e5d797ceb29ca9b6528832cd61be5121
SHA101cab6d6e1e39a1dfe1ee70d7f69530d7c2105b0
SHA256adc332afa1205511cb876fe4bed1cec90e00c24615900694bfcf52d8396f61c1
SHA512bf457acdf580b934c86c70d37b8fa18740c54d62223ffe80e3fa9c84e5901fd6da04280ab250eb82ffc91ae0d384e24f0d21bca1159cb558a96775dcdf34e26c
-
Filesize
105B
MD5db095da5aecf4bc4abd5cb164095897b
SHA1328742e9a900a6a21d8b32c86bc925cef82b32a7
SHA256990636080d8ccc386ee6d34128fa63c15c1591ac6721c792115cfd8febc9d380
SHA51254ff89e9d54ebffc26c21e588fd2a8ef7ae513dce089705990d2aa11b54100a59f60ec628f811eda1828f23a165dc7d657bdaaa6fc51ef81416201e5eb2a5998
-
Filesize
103B
MD5a88b3bc6e3a1f930219422843ca1e1e5
SHA199bc719d75acb4aa447ffe54decf71c00f571f0c
SHA2563447ffc7e0accc3675e458aafe62ec8955d3f71d6bb341a98420dce470682d11
SHA5129a61477f3950d88d9960ef3115753585f1535e0ecb95a839978bb07784900147a2b245b85b7ec00e068cad15566276a8301e2c28cb0be1cb1c0d768a8ad7e44a
-
Filesize
101B
MD5995f2f14c4ca172c0524c506097b59ec
SHA157bd709e5ffcc01f685757abe9cd4ce668b90068
SHA256c2df64526f4efdd29d4e0344c552736fd07125af9bfde72df8ee67952a369c1e
SHA512963399f167dd418e2f2b7dda40587b8fdd6b926679b732963206319065858deec3b81c4114284e285ab1d0b744b46a065678939450f0965002f59497e4ffd768
-
Filesize
105B
MD5bcb3502fb8e5433c906767cefdcffd14
SHA1c22bd35f7eda5c745f67859af72b00606f1205e1
SHA2569eed1abfff7460e94bdb95e25b753481132ecba70d03ffcedad8d627a0e0b44d
SHA51203d010924498e9cec57f774929a602df168820cd416a8cd1d254d3c2ffb35e4cc3eb1a6a6da67a061c8b09d701c401ac5aa253515f147846fc83139e43e09492
-
Filesize
105B
MD5da96cf93da0ba0c9ec9a513fdf52eb3b
SHA1b0a2ce83702b970e30c169a8c05a999637ace607
SHA2564ecdb26d3232ecb561649aef535f01198c6f6dc9ac5ecd2ea619adbf7338f500
SHA5120f39b9b49bb0fbd70f6fa5d73ee351ba2f5f702c8fb261c46a5cc7568b080665b3568652d4242fae12b685cce4d9f9bd47dac672f0b6ebebf9572032e551d8d3
-
Filesize
103B
MD54b4cca9df512bbda0d72dc63bd7837d4
SHA1cdd9a5394af7b02a6a03479ae5f58b185f078ca4
SHA2567b70e1efcf5678581b44abbeffce5d30b598e3afd790c031f9af0b259b62a440
SHA512ae754487c79e005dd985b68ef4f623b531ffaf6ad5db4baed00127fd64285e7c7e9cdc678cafab3a3b20eadcf1a473936f9aa65c1d2d6b24ab79bdecf3f6072a