General
-
Target
c97bdf20dd3e6aeafdc7f1ce87aeed3e83d5c439f8d1bd122c4e0754f48170fd
-
Size
1.3MB
-
Sample
220521-a8nkkabea7
-
MD5
b0cb3eb89f6198f8cd6cad0a6ef78e00
-
SHA1
21dbd642863675dcc9348d95371bec91cf2fcc16
-
SHA256
c97bdf20dd3e6aeafdc7f1ce87aeed3e83d5c439f8d1bd122c4e0754f48170fd
-
SHA512
c5a3b5fc8d276fb51b85c31107c8a9eb9a36dadf895be37edce43db5855403f2d2aecc3453a1f274d1cf7d846059b52e9c953acde9d4135c466934f9d7d539cc
Static task
static1
Behavioral task
behavioral1
Sample
c97bdf20dd3e6aeafdc7f1ce87aeed3e83d5c439f8d1bd122c4e0754f48170fd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c97bdf20dd3e6aeafdc7f1ce87aeed3e83d5c439f8d1bd122c4e0754f48170fd.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
azorult
http://149.56.173.78:8080/break/
Targets
-
-
Target
c97bdf20dd3e6aeafdc7f1ce87aeed3e83d5c439f8d1bd122c4e0754f48170fd
-
Size
1.3MB
-
MD5
b0cb3eb89f6198f8cd6cad0a6ef78e00
-
SHA1
21dbd642863675dcc9348d95371bec91cf2fcc16
-
SHA256
c97bdf20dd3e6aeafdc7f1ce87aeed3e83d5c439f8d1bd122c4e0754f48170fd
-
SHA512
c5a3b5fc8d276fb51b85c31107c8a9eb9a36dadf895be37edce43db5855403f2d2aecc3453a1f274d1cf7d846059b52e9c953acde9d4135c466934f9d7d539cc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-