Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20/05/2022, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
NSL SUGARS LTD UNIT.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NSL SUGARS LTD UNIT.exe
Resource
win10v2004-20220414-en
General
-
Target
NSL SUGARS LTD UNIT.exe
-
Size
1.2MB
-
MD5
dd02d84951a6b48b98f08abd3f79a278
-
SHA1
d9b39d7fda6d314b4c49b5d5dc9e634ee14448df
-
SHA256
7cd0f0947f0485f250747fe2e8eee845d912830239a949ac721335824ee03365
-
SHA512
af0d3bd698a0b06e9a28382126e3599815ab501d1f61ff2492c8777ff00b98633f1264ecda266244a9b8ffccf20cf32ebab1eba11116ca2461d31c0a8aa4c71c
Malware Config
Extracted
azorult
http://49.12.98.113/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
-
Suspicious use of SetThreadContext 13 IoCs
description pid Process procid_target PID 2796 set thread context of 4124 2796 NSL SUGARS LTD UNIT.exe 78 PID 2796 set thread context of 4304 2796 NSL SUGARS LTD UNIT.exe 79 PID 2796 set thread context of 3628 2796 NSL SUGARS LTD UNIT.exe 81 PID 2796 set thread context of 2464 2796 NSL SUGARS LTD UNIT.exe 82 PID 2796 set thread context of 1184 2796 NSL SUGARS LTD UNIT.exe 89 PID 2796 set thread context of 2516 2796 NSL SUGARS LTD UNIT.exe 90 PID 2796 set thread context of 4060 2796 NSL SUGARS LTD UNIT.exe 91 PID 2796 set thread context of 1372 2796 NSL SUGARS LTD UNIT.exe 92 PID 2796 set thread context of 4012 2796 NSL SUGARS LTD UNIT.exe 93 PID 2796 set thread context of 3368 2796 NSL SUGARS LTD UNIT.exe 94 PID 2796 set thread context of 3740 2796 NSL SUGARS LTD UNIT.exe 95 PID 2796 set thread context of 2264 2796 NSL SUGARS LTD UNIT.exe 96 PID 2796 set thread context of 3840 2796 NSL SUGARS LTD UNIT.exe 97 -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe 2796 NSL SUGARS LTD UNIT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2796 wrote to memory of 4124 2796 NSL SUGARS LTD UNIT.exe 78 PID 2796 wrote to memory of 4124 2796 NSL SUGARS LTD UNIT.exe 78 PID 2796 wrote to memory of 4124 2796 NSL SUGARS LTD UNIT.exe 78 PID 2796 wrote to memory of 4124 2796 NSL SUGARS LTD UNIT.exe 78 PID 2796 wrote to memory of 4124 2796 NSL SUGARS LTD UNIT.exe 78 PID 2796 wrote to memory of 4304 2796 NSL SUGARS LTD UNIT.exe 79 PID 2796 wrote to memory of 4304 2796 NSL SUGARS LTD UNIT.exe 79 PID 2796 wrote to memory of 4304 2796 NSL SUGARS LTD UNIT.exe 79 PID 2796 wrote to memory of 4304 2796 NSL SUGARS LTD UNIT.exe 79 PID 2796 wrote to memory of 4304 2796 NSL SUGARS LTD UNIT.exe 79 PID 2796 wrote to memory of 3628 2796 NSL SUGARS LTD UNIT.exe 81 PID 2796 wrote to memory of 3628 2796 NSL SUGARS LTD UNIT.exe 81 PID 2796 wrote to memory of 3628 2796 NSL SUGARS LTD UNIT.exe 81 PID 2796 wrote to memory of 3628 2796 NSL SUGARS LTD UNIT.exe 81 PID 2796 wrote to memory of 3628 2796 NSL SUGARS LTD UNIT.exe 81 PID 2796 wrote to memory of 2464 2796 NSL SUGARS LTD UNIT.exe 82 PID 2796 wrote to memory of 2464 2796 NSL SUGARS LTD UNIT.exe 82 PID 2796 wrote to memory of 2464 2796 NSL SUGARS LTD UNIT.exe 82 PID 2796 wrote to memory of 2464 2796 NSL SUGARS LTD UNIT.exe 82 PID 2796 wrote to memory of 2464 2796 NSL SUGARS LTD UNIT.exe 82 PID 2796 wrote to memory of 1184 2796 NSL SUGARS LTD UNIT.exe 89 PID 2796 wrote to memory of 1184 2796 NSL SUGARS LTD UNIT.exe 89 PID 2796 wrote to memory of 1184 2796 NSL SUGARS LTD UNIT.exe 89 PID 2796 wrote to memory of 1184 2796 NSL SUGARS LTD UNIT.exe 89 PID 2796 wrote to memory of 1184 2796 NSL SUGARS LTD UNIT.exe 89 PID 2796 wrote to memory of 2516 2796 NSL SUGARS LTD UNIT.exe 90 PID 2796 wrote to memory of 2516 2796 NSL SUGARS LTD UNIT.exe 90 PID 2796 wrote to memory of 2516 2796 NSL SUGARS LTD UNIT.exe 90 PID 2796 wrote to memory of 2516 2796 NSL SUGARS LTD UNIT.exe 90 PID 2796 wrote to memory of 2516 2796 NSL SUGARS LTD UNIT.exe 90 PID 2796 wrote to memory of 4060 2796 NSL SUGARS LTD UNIT.exe 91 PID 2796 wrote to memory of 4060 2796 NSL SUGARS LTD UNIT.exe 91 PID 2796 wrote to memory of 4060 2796 NSL SUGARS LTD UNIT.exe 91 PID 2796 wrote to memory of 4060 2796 NSL SUGARS LTD UNIT.exe 91 PID 2796 wrote to memory of 4060 2796 NSL SUGARS LTD UNIT.exe 91 PID 2796 wrote to memory of 1372 2796 NSL SUGARS LTD UNIT.exe 92 PID 2796 wrote to memory of 1372 2796 NSL SUGARS LTD UNIT.exe 92 PID 2796 wrote to memory of 1372 2796 NSL SUGARS LTD UNIT.exe 92 PID 2796 wrote to memory of 1372 2796 NSL SUGARS LTD UNIT.exe 92 PID 2796 wrote to memory of 1372 2796 NSL SUGARS LTD UNIT.exe 92 PID 2796 wrote to memory of 4012 2796 NSL SUGARS LTD UNIT.exe 93 PID 2796 wrote to memory of 4012 2796 NSL SUGARS LTD UNIT.exe 93 PID 2796 wrote to memory of 4012 2796 NSL SUGARS LTD UNIT.exe 93 PID 2796 wrote to memory of 4012 2796 NSL SUGARS LTD UNIT.exe 93 PID 2796 wrote to memory of 4012 2796 NSL SUGARS LTD UNIT.exe 93 PID 2796 wrote to memory of 3368 2796 NSL SUGARS LTD UNIT.exe 94 PID 2796 wrote to memory of 3368 2796 NSL SUGARS LTD UNIT.exe 94 PID 2796 wrote to memory of 3368 2796 NSL SUGARS LTD UNIT.exe 94 PID 2796 wrote to memory of 3368 2796 NSL SUGARS LTD UNIT.exe 94 PID 2796 wrote to memory of 3368 2796 NSL SUGARS LTD UNIT.exe 94 PID 2796 wrote to memory of 3740 2796 NSL SUGARS LTD UNIT.exe 95 PID 2796 wrote to memory of 3740 2796 NSL SUGARS LTD UNIT.exe 95 PID 2796 wrote to memory of 3740 2796 NSL SUGARS LTD UNIT.exe 95 PID 2796 wrote to memory of 3740 2796 NSL SUGARS LTD UNIT.exe 95 PID 2796 wrote to memory of 3740 2796 NSL SUGARS LTD UNIT.exe 95 PID 2796 wrote to memory of 2264 2796 NSL SUGARS LTD UNIT.exe 96 PID 2796 wrote to memory of 2264 2796 NSL SUGARS LTD UNIT.exe 96 PID 2796 wrote to memory of 2264 2796 NSL SUGARS LTD UNIT.exe 96 PID 2796 wrote to memory of 2264 2796 NSL SUGARS LTD UNIT.exe 96 PID 2796 wrote to memory of 2264 2796 NSL SUGARS LTD UNIT.exe 96 PID 2796 wrote to memory of 3840 2796 NSL SUGARS LTD UNIT.exe 97 PID 2796 wrote to memory of 3840 2796 NSL SUGARS LTD UNIT.exe 97 PID 2796 wrote to memory of 3840 2796 NSL SUGARS LTD UNIT.exe 97 PID 2796 wrote to memory of 3840 2796 NSL SUGARS LTD UNIT.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:4124
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:3628
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:2464
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:2516
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:4060
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:1372
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:4012
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:3368
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:3740
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"2⤵PID:3840
-