Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20/05/2022, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
PICTURE FOR ILLUSTRATION.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PICTURE FOR ILLUSTRATION.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
PICTURE FOR ILLUSTRATION.exe
-
Size
1.1MB
-
MD5
b80d2586d6dfded6f69d630f1601c6be
-
SHA1
d4cdf6acb324c1142ad86a0e92d0548dc3388ac3
-
SHA256
007ac20801e4bd954545cdcd275522fb87687179ed8dd160ceb6e906998a0558
-
SHA512
06afc5ad8b6fc73636c102e995d94daf553faa19fd1431db0f41fc2e98b149bb75ee603d9006cf21a8140c0bbe2019346c46e95328533359103a9e8aba253c7d
Score
10/10
Malware Config
Extracted
Family
azorult
C2
http://51.116.180.53/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1880 set thread context of 1784 1880 PICTURE FOR ILLUSTRATION.exe 27 PID 1880 set thread context of 1460 1880 PICTURE FOR ILLUSTRATION.exe 30 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe 1880 PICTURE FOR ILLUSTRATION.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1880 wrote to memory of 1784 1880 PICTURE FOR ILLUSTRATION.exe 27 PID 1880 wrote to memory of 1784 1880 PICTURE FOR ILLUSTRATION.exe 27 PID 1880 wrote to memory of 1784 1880 PICTURE FOR ILLUSTRATION.exe 27 PID 1880 wrote to memory of 1784 1880 PICTURE FOR ILLUSTRATION.exe 27 PID 1880 wrote to memory of 1784 1880 PICTURE FOR ILLUSTRATION.exe 27 PID 1880 wrote to memory of 1784 1880 PICTURE FOR ILLUSTRATION.exe 27 PID 1880 wrote to memory of 1460 1880 PICTURE FOR ILLUSTRATION.exe 30 PID 1880 wrote to memory of 1460 1880 PICTURE FOR ILLUSTRATION.exe 30 PID 1880 wrote to memory of 1460 1880 PICTURE FOR ILLUSTRATION.exe 30 PID 1880 wrote to memory of 1460 1880 PICTURE FOR ILLUSTRATION.exe 30 PID 1880 wrote to memory of 1460 1880 PICTURE FOR ILLUSTRATION.exe 30 PID 1880 wrote to memory of 1460 1880 PICTURE FOR ILLUSTRATION.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"2⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"2⤵PID:1460
-