Analysis
-
max time kernel
173s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20/05/2022, 14:09
Static task
static1
Behavioral task
behavioral1
Sample
RFQ452.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ452.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
RFQ452.exe
-
Size
676KB
-
MD5
4c6c42a1760c912ffd0398c52e7dcc16
-
SHA1
c49d79093cc183ac858fe0c7624cdcbae2280d93
-
SHA256
9dd2e2e1dc00671e8faee152525a1dd54d069cdd13da671eea3a825c1ac69864
-
SHA512
43131664d46487e12bb6cc3b5aa568940941ccd08dfc7cbc9ed930a689fa54fcb8c2314503d0c48cb60b5882db87fea8d26b7aa2fd1a966388b3938fb0608cf3
Score
10/10
Malware Config
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4556 set thread context of 4804 4556 RFQ452.exe 81 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4556 RFQ452.exe 4556 RFQ452.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4556 RFQ452.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4556 wrote to memory of 4804 4556 RFQ452.exe 81 PID 4556 wrote to memory of 4804 4556 RFQ452.exe 81 PID 4556 wrote to memory of 4804 4556 RFQ452.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"C:\Users\Admin\AppData\Local\Temp\RFQ452.exe"2⤵PID:4804
-