Overview

overview

10

Static

static

MTIR3040.exe

windows7_x64

10

MTIR3040.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ac1d9c5c23dc04b8a58bc5546faa7d76a9f9bb395cb61242cda104ae6b14ed0d

  • Size

    1.2MB

  • Sample

    220521-blevksfafq

  • MD5

    1cf6180d5bf545a54d73de6d50ff06d7

  • SHA1

    b225c46d94e39e25806b7733b686dd7aee2c0065

  • SHA256

    ac1d9c5c23dc04b8a58bc5546faa7d76a9f9bb395cb61242cda104ae6b14ed0d

  • SHA512

    8800cce4e3830d7bf885592c3e384808ddceea13c286fcfea409e18e90f7bb64b68bbea08fa5e46157350e8765de2c4f5827d8f734f32109b61d91d1ce4b8190

Score
10/10
azorultpoullightinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Targets

    • Target

      MTIR3040.EXE

    • Size

      535KB

    • MD5

      79707819022534894896e0c348aaf6f2

    • SHA1

      1efc18e7f5d1f439cba6f4a7b0efd3bddab1d7c8

    • SHA256

      6d2e1786fd467c2e6015b9a1efe0823457c38127822a1b707aa6da5132a3d04a

    • SHA512

      fdadeb54ddd7f2ee1f651b23a392a40f3a7eba9e328ce4eb7500f4dcbace6ad9c4b65940c705c0e5da13626e40454f90967403e8af4305f356325151a0e2c7c2

    Score
    10/10
    azorultpoullightinfostealerspywarestealersuricatatrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Poullight

      Poullight is an information stealer first seen in March 2020.

      trojanstealerpoullight

    • Poullight Stealer Payload

    • suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata: ET MALWARE Generic gate .php GET with minimal headers

      suricata

    • suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

      suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

      suricata

    • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

      suricata

    • suricata: ET MALWARE Win32/X-Files Stealer Activity

      suricata: ET MALWARE Win32/X-Files Stealer Activity

      suricata

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks