Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20/05/2022, 13:37

General

  • Target

    NSL SUGARS LTD UNIT.exe

  • Size

    1.2MB

  • MD5

    dd02d84951a6b48b98f08abd3f79a278

  • SHA1

    d9b39d7fda6d314b4c49b5d5dc9e634ee14448df

  • SHA256

    7cd0f0947f0485f250747fe2e8eee845d912830239a949ac721335824ee03365

  • SHA512

    af0d3bd698a0b06e9a28382126e3599815ab501d1f61ff2492c8777ff00b98633f1264ecda266244a9b8ffccf20cf32ebab1eba11116ca2461d31c0a8aa4c71c

Malware Config

Extracted

Family

azorult

C2

http://49.12.98.113/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • suricata: ET MALWARE AZORult Variant.4 Checkin M2

    suricata: ET MALWARE AZORult Variant.4 Checkin M2

  • suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4

    suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4

  • Suspicious use of SetThreadContext 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
    "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
      "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
      2⤵
        PID:904
      • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
        "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
        2⤵
          PID:1072
        • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
          "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
          2⤵
            PID:1892
          • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
            "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
            2⤵
              PID:1820
            • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
              "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
              2⤵
                PID:612
              • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                2⤵
                  PID:1704
                • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                  "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                  2⤵
                    PID:1388
                  • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                    "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                    2⤵
                      PID:1428
                    • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                      "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                      2⤵
                        PID:1884
                      • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                        "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                        2⤵
                          PID:316
                        • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                          "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                          2⤵
                            PID:1728
                          • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                            "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                            2⤵
                              PID:1936
                            • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                              "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                              2⤵
                                PID:1128
                              • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                                "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                                2⤵
                                  PID:1240
                                • C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
                                  "C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
                                  2⤵
                                    PID:1648

                                Network

                                      MITRE ATT&CK Matrix

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BP3J0MZ.txt

                                        Filesize

                                        105B

                                        MD5

                                        e7f1d1f614397da9b9e557f8f2eaead6

                                        SHA1

                                        7e0651e2c7386bcb78b851805c567e0e68322004

                                        SHA256

                                        ff46e5bcaca80a46b9295998ba083238af55243107728168f469732bb0fd6639

                                        SHA512

                                        b70ac9e3f6f12bb9fcb7ba5cee5ebdf7048dc04a8e63c14fd81ab3983075f69ecea8f0cc6520f9f7b19eac4a80e3a3696caa3a7a4de48cfdcb9cee53eff9cf92

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7VSL9F9E.txt

                                        Filesize

                                        103B

                                        MD5

                                        c6c9c9062caf4a46e77102263e343d56

                                        SHA1

                                        171979bfe35857c1608e34c3e98b08a158a61520

                                        SHA256

                                        b97c5d1f09f4475e8fb390c2ebef4291d4727551f8a71a7f298e90d31899bb20

                                        SHA512

                                        477022f8e0692c9e2a96676fd498c4cebf8d0669b1aa2af8f0e768f19a4e7bbc6177941d9de0ecd1099895154aa4fc425197bc18032d7e73666592c6dfd8d0c3

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9M4BG4HP.txt

                                        Filesize

                                        103B

                                        MD5

                                        2ea62a472e4b845b629ef6e3999fead1

                                        SHA1

                                        6bb6705594236f2817f0017b7f2e38221d32c9c0

                                        SHA256

                                        821969c5c8dfc6918c424aa38db5675c3d2efb0ea2f1883616ced6aee9f9f546

                                        SHA512

                                        500da45ede07ba2cfc4f05097c1c352b525ac353b9b6fc7c925f6c76d83cb3b029275cb692dc36e9995aa7895767dfb7da53fc6cf3e11e282554f977351c39e9

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BV8OQTNO.txt

                                        Filesize

                                        105B

                                        MD5

                                        b5658f0be2a5b0d6ddf728389b93c014

                                        SHA1

                                        d897cf2c1ab44ebf49020bcec7458c5c2595728a

                                        SHA256

                                        881ca64436a9bd8d2ef6614a0ed22aef93f1ba1969e3b87225aa8b7250d30a73

                                        SHA512

                                        eb463a2a0e116016354ad82ef7cfb7100213774a58994d127ba98811a94b54c76373415b9bbf333fa346b640900d3064c0c0dc401ee1ea4e050e59fc07b65383

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CD3J98KK.txt

                                        Filesize

                                        102B

                                        MD5

                                        91b768cade3d39f4af5673810bedbb58

                                        SHA1

                                        f205262262b304bcc12cf69996ccb16b051ef161

                                        SHA256

                                        53a1143fb41cca9271dd17490163ac93049bd04d6a86812bacb87bb294811dd8

                                        SHA512

                                        d2daa04c1423dc83e079fe8ef378e9ca08eda7623df3f23e1423b64fe8af6f0ac21fa61cf085d933d067d17fd9eba6873a9f74e8bfe8e97fc2259dbc3505c485

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DP3K9PQH.txt

                                        Filesize

                                        103B

                                        MD5

                                        c688506438589077e98dcc2aaa3ab5b8

                                        SHA1

                                        1b6d3e4ea2da3d6d918eb61c80a9110180154bce

                                        SHA256

                                        b115f3cd132e9f8f6923802bf001c78d2da7ef126b774fd559f1de2cd8bd1dd8

                                        SHA512

                                        6cb0fd9e8ffe5d06e08d374b5a84ff8250dba9c0f1c5a7b6d34bc774b375bf8ecd136475fe29e0f92a57ca1e14590e0dda1b3a778c3c630c52c32f6f0120588c

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E2O2JG5B.txt

                                        Filesize

                                        105B

                                        MD5

                                        e5d797ceb29ca9b6528832cd61be5121

                                        SHA1

                                        01cab6d6e1e39a1dfe1ee70d7f69530d7c2105b0

                                        SHA256

                                        adc332afa1205511cb876fe4bed1cec90e00c24615900694bfcf52d8396f61c1

                                        SHA512

                                        bf457acdf580b934c86c70d37b8fa18740c54d62223ffe80e3fa9c84e5901fd6da04280ab250eb82ffc91ae0d384e24f0d21bca1159cb558a96775dcdf34e26c

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MXUXAYFI.txt

                                        Filesize

                                        105B

                                        MD5

                                        db095da5aecf4bc4abd5cb164095897b

                                        SHA1

                                        328742e9a900a6a21d8b32c86bc925cef82b32a7

                                        SHA256

                                        990636080d8ccc386ee6d34128fa63c15c1591ac6721c792115cfd8febc9d380

                                        SHA512

                                        54ff89e9d54ebffc26c21e588fd2a8ef7ae513dce089705990d2aa11b54100a59f60ec628f811eda1828f23a165dc7d657bdaaa6fc51ef81416201e5eb2a5998

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OXBC07B7.txt

                                        Filesize

                                        103B

                                        MD5

                                        a88b3bc6e3a1f930219422843ca1e1e5

                                        SHA1

                                        99bc719d75acb4aa447ffe54decf71c00f571f0c

                                        SHA256

                                        3447ffc7e0accc3675e458aafe62ec8955d3f71d6bb341a98420dce470682d11

                                        SHA512

                                        9a61477f3950d88d9960ef3115753585f1535e0ecb95a839978bb07784900147a2b245b85b7ec00e068cad15566276a8301e2c28cb0be1cb1c0d768a8ad7e44a

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PEQN54TW.txt

                                        Filesize

                                        101B

                                        MD5

                                        995f2f14c4ca172c0524c506097b59ec

                                        SHA1

                                        57bd709e5ffcc01f685757abe9cd4ce668b90068

                                        SHA256

                                        c2df64526f4efdd29d4e0344c552736fd07125af9bfde72df8ee67952a369c1e

                                        SHA512

                                        963399f167dd418e2f2b7dda40587b8fdd6b926679b732963206319065858deec3b81c4114284e285ab1d0b744b46a065678939450f0965002f59497e4ffd768

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PMVPO0R7.txt

                                        Filesize

                                        105B

                                        MD5

                                        bcb3502fb8e5433c906767cefdcffd14

                                        SHA1

                                        c22bd35f7eda5c745f67859af72b00606f1205e1

                                        SHA256

                                        9eed1abfff7460e94bdb95e25b753481132ecba70d03ffcedad8d627a0e0b44d

                                        SHA512

                                        03d010924498e9cec57f774929a602df168820cd416a8cd1d254d3c2ffb35e4cc3eb1a6a6da67a061c8b09d701c401ac5aa253515f147846fc83139e43e09492

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q42AHYH8.txt

                                        Filesize

                                        105B

                                        MD5

                                        da96cf93da0ba0c9ec9a513fdf52eb3b

                                        SHA1

                                        b0a2ce83702b970e30c169a8c05a999637ace607

                                        SHA256

                                        4ecdb26d3232ecb561649aef535f01198c6f6dc9ac5ecd2ea619adbf7338f500

                                        SHA512

                                        0f39b9b49bb0fbd70f6fa5d73ee351ba2f5f702c8fb261c46a5cc7568b080665b3568652d4242fae12b685cce4d9f9bd47dac672f0b6ebebf9572032e551d8d3

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X805Z13R.txt

                                        Filesize

                                        103B

                                        MD5

                                        4b4cca9df512bbda0d72dc63bd7837d4

                                        SHA1

                                        cdd9a5394af7b02a6a03479ae5f58b185f078ca4

                                        SHA256

                                        7b70e1efcf5678581b44abbeffce5d30b598e3afd790c031f9af0b259b62a440

                                        SHA512

                                        ae754487c79e005dd985b68ef4f623b531ffaf6ad5db4baed00127fd64285e7c7e9cdc678cafab3a3b20eadcf1a473936f9aa65c1d2d6b24ab79bdecf3f6072a

                                      • memory/904-66-0x0000000000400000-0x0000000000420000-memory.dmp

                                        Filesize

                                        128KB

                                      • memory/904-57-0x0000000000400000-0x0000000000420000-memory.dmp

                                        Filesize

                                        128KB

                                      • memory/904-55-0x0000000000400000-0x0000000000420000-memory.dmp

                                        Filesize

                                        128KB

                                      • memory/1348-111-0x00000000026C0000-0x0000000002802000-memory.dmp

                                        Filesize

                                        1.3MB

                                      • memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmp

                                        Filesize

                                        8KB

                                      • memory/1348-69-0x0000000000560000-0x0000000000599000-memory.dmp

                                        Filesize

                                        228KB

                                      • memory/1348-68-0x0000000000520000-0x0000000000559000-memory.dmp

                                        Filesize

                                        228KB

                                      • memory/1820-108-0x0000000000080000-0x00000000000A0000-memory.dmp

                                        Filesize

                                        128KB

                                      • memory/1820-99-0x0000000000080000-0x00000000000A0000-memory.dmp

                                        Filesize

                                        128KB