Analysis
-
max time kernel
36s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20/05/2022, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ452.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ452.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
RFQ452.exe
-
Size
676KB
-
MD5
4c6c42a1760c912ffd0398c52e7dcc16
-
SHA1
c49d79093cc183ac858fe0c7624cdcbae2280d93
-
SHA256
9dd2e2e1dc00671e8faee152525a1dd54d069cdd13da671eea3a825c1ac69864
-
SHA512
43131664d46487e12bb6cc3b5aa568940941ccd08dfc7cbc9ed930a689fa54fcb8c2314503d0c48cb60b5882db87fea8d26b7aa2fd1a966388b3938fb0608cf3
Score
10/10
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1788 set thread context of 1640 1788 RFQ452.exe 27 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1788 RFQ452.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1788 RFQ452.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1788 wrote to memory of 1640 1788 RFQ452.exe 27 PID 1788 wrote to memory of 1640 1788 RFQ452.exe 27 PID 1788 wrote to memory of 1640 1788 RFQ452.exe 27 PID 1788 wrote to memory of 1640 1788 RFQ452.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"2⤵PID:1640
-