Overview

overview

10

Static

static

TNT SHIPPI...NT.exe

windows7_x64

10

TNT SHIPPI...NT.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    017ad7cd19f4a8fbbcb3dc700f642f48839e6abd65461df5135598a494e7069c

  • Size

    184KB

  • Sample

    220521-b2ql1sfhfq

  • MD5

    19b4ce489f9124592e24c1a45c2ac407

  • SHA1

    19b93e3acc57e8f7b9eea0df558972d1e7190a2e

  • SHA256

    017ad7cd19f4a8fbbcb3dc700f642f48839e6abd65461df5135598a494e7069c

  • SHA512

    c5c6d6ebf17773c39b8d87aa091ce6deb3ae6e0a7649c4d0efcab24786b91bfaaeb43f301dce1e245d272a86677a1d4640a46a4282ee469253a6549af54914ed

Score
10/10
azorultevasioninfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://waterchem.com.tr/css/Panel/index.php

Targets

    • Target

      TNT SHIPPING DOCUMENT.exe

    • Size

      267KB

    • MD5

      4d921621521f649ea4741d7687f4fa34

    • SHA1

      01118b049ea747d80ed65742f95c88f16fe92cdb

    • SHA256

      94d39d6f9db604c0b356bb0115d361c9243bc67cb9a657e5310debed783cb6d3

    • SHA512

      6ee927ef7f43aac9e75a9c3e43cd4cd9b51de1973709fb21a7c4e027e77622cd5b5e143b7670535e7a7a580800a5d8b9549d8e106a1f508290c53f3d58708e3f

    Score
    10/10
    azorultevasioninfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Uses the VBS compiler for execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks