Analysis
-
max time kernel
157s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20/05/2022, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Rabih Trading LLC Dubai.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Rabih Trading LLC Dubai.exe
Resource
win10v2004-20220414-en
General
-
Target
Rabih Trading LLC Dubai.exe
-
Size
1.1MB
-
MD5
9b18816e3b13b8445f2b8774aed72b08
-
SHA1
6aea28ca385792ced87b2cfb702469574b36cfe5
-
SHA256
b8cedaeefb46ff748af412d63d33b2d508966d4e33fd88efc592072b64017f5c
-
SHA512
0c9976bbe6564177c0a639395ef98f9c84c5949c780d1ed658de4fc499220f2d6499e5d7b811682d34e099a7d82a9210d9fcffc985190f680b201fae85a7a16d
Malware Config
Extracted
azorult
http://51.116.180.53/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2852 set thread context of 2776 2852 Rabih Trading LLC Dubai.exe 79 PID 2852 set thread context of 1324 2852 Rabih Trading LLC Dubai.exe 88 PID 2852 set thread context of 4704 2852 Rabih Trading LLC Dubai.exe 89 -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe 2852 Rabih Trading LLC Dubai.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2852 wrote to memory of 2776 2852 Rabih Trading LLC Dubai.exe 79 PID 2852 wrote to memory of 2776 2852 Rabih Trading LLC Dubai.exe 79 PID 2852 wrote to memory of 2776 2852 Rabih Trading LLC Dubai.exe 79 PID 2852 wrote to memory of 2776 2852 Rabih Trading LLC Dubai.exe 79 PID 2852 wrote to memory of 2776 2852 Rabih Trading LLC Dubai.exe 79 PID 2852 wrote to memory of 1324 2852 Rabih Trading LLC Dubai.exe 88 PID 2852 wrote to memory of 1324 2852 Rabih Trading LLC Dubai.exe 88 PID 2852 wrote to memory of 1324 2852 Rabih Trading LLC Dubai.exe 88 PID 2852 wrote to memory of 1324 2852 Rabih Trading LLC Dubai.exe 88 PID 2852 wrote to memory of 1324 2852 Rabih Trading LLC Dubai.exe 88 PID 2852 wrote to memory of 4704 2852 Rabih Trading LLC Dubai.exe 89 PID 2852 wrote to memory of 4704 2852 Rabih Trading LLC Dubai.exe 89 PID 2852 wrote to memory of 4704 2852 Rabih Trading LLC Dubai.exe 89 PID 2852 wrote to memory of 4704 2852 Rabih Trading LLC Dubai.exe 89 PID 2852 wrote to memory of 4704 2852 Rabih Trading LLC Dubai.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"2⤵PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"2⤵PID:1324
-
-
C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"2⤵PID:4704
-