Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20/05/2022, 13:37

General

  • Target

    PICTURE FOR ILLUSTRATION.exe

  • Size

    1.1MB

  • MD5

    b80d2586d6dfded6f69d630f1601c6be

  • SHA1

    d4cdf6acb324c1142ad86a0e92d0548dc3388ac3

  • SHA256

    007ac20801e4bd954545cdcd275522fb87687179ed8dd160ceb6e906998a0558

  • SHA512

    06afc5ad8b6fc73636c102e995d94daf553faa19fd1431db0f41fc2e98b149bb75ee603d9006cf21a8140c0bbe2019346c46e95328533359103a9e8aba253c7d

Malware Config

Extracted

Family

azorult

C2

http://51.116.180.53/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
    "C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
      "C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
      2⤵
        PID:3448
      • C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
        "C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
        2⤵
          PID:4756
        • C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
          "C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe"
          2⤵
            PID:228

        Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/2784-140-0x00000000028C0000-0x00000000028F9000-memory.dmp

                Filesize

                228KB

              • memory/2784-141-0x00000000041C0000-0x00000000041F9000-memory.dmp

                Filesize

                228KB

              • memory/3448-131-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB

              • memory/3448-139-0x0000000000400000-0x0000000000420000-memory.dmp

                Filesize

                128KB