azorult

General

Target

8c4ab34b4aa53718967d637c28aab7064f71b6cecba58bdf1e589f98d14ee9a3
Size

1.1MB
Sample

220521-n4n77aefb3
MD5

64e8cbf2ae639b24f51da2faed5b2432
SHA1

cc902b43eca70e8f556799f521495b99387e85d5
SHA256

8c4ab34b4aa53718967d637c28aab7064f71b6cecba58bdf1e589f98d14ee9a3
SHA512

c5507e507c22fb3506c98f995868e3d9408573c2b5488bd25a8e1b2afaa1980a3fb4293349f9f242bd4d061aeb4df6ecad84e35b7c195367ef1be3f4c28196c8

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://128.199.141.181/index.php

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\AEF946DCB4\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 7 Ultimate 64bit CPU: Intel Core Processor (Broadwell) GPU: Standard VGA Graphics Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:52:25 PM MassLogger Started: 5/21/2022 2:52:06 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Standard Terms and Conditions for purchases.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Extracted

Credentials

Protocol: smtp
Host:
mail.mkontakt.az
Port:
587
Username:
testing@mkontakt.az
Password:
Onyeoba111

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\F95B724EDE\Log.txt

Family

masslogger

Ransom Note

################################################################# MassLogger v1.3.5.0 ################################################################# ### Logger Details ### User Name: Admin IP: 154.61.71.50 Location: United States OS: Microsoft Windows 10 Pro64bit CPU: Intel Core Processor (Broadwell) GPU: Microsoft Basic Display Adapter AV: NA Screen Resolution: 1280x720 Current Time: 5/21/2022 2:51:51 PM MassLogger Started: 5/21/2022 2:51:46 PM Interval: 2 hour MassLogger Process: C:\Users\Admin\AppData\Local\Temp\Standard Terms and Conditions for purchases.exe MassLogger Melt: false MassLogger Exit after delivery: true As Administrator: True Processes:

Targets

- Target
  
  PRQ 010474.exe
- Size
  
  312KB
- MD5
  
  86552be6b1f4a2a5ee6f4d3314bcaca8
- SHA1
  
  273c38764bc244f6322939e899cd111c56df9772
- SHA256
  
  ed15459a7fd8570fc69235cac35dbe1617fa919c6c09a1978df30952b2af53b1
- SHA512
  
  b5a71794e75c4fab472639e47fd2c2717c7e14894527e498dafa7690ab02a54c3b543362e6b79dc17185a66c87652b1ecfc6a6c2a8fc9f46af2fd7d6a8f85491
Score

10^/10

azorult infostealer rezer0 trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Standard Terms and Conditions for purchases.exe
- Size
  
  940KB
- MD5
  
  3523948b0182768af480742150a7bc76
- SHA1
  
  3ee7ab152ac2e949ea48c6a6e5aadac2015219fd
- SHA256
  
  98f14edea3c84946787d020e97f6b161cae2ed419e458434413626b9893c6f62
- SHA512
  
  820ea8bd7ef17b0bc45d0390a8e832fc42d97f1743afa9296c3417d90a7fced1409bd34daacc4fdde18a95d744c2eeb582fcab0287eb1d0d98613c15e066bac4
Score

10^/10

masslogger collection ransomware rezer0 spyware stealer
- MassLogger
  Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
  stealer spyware masslogger
- MassLogger Main Payload
- MassLogger log file
  Detects a log file produced by MassLogger.
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

ReZer0 packer

Suspicious use of SetThreadContext

MassLogger

MassLogger Main Payload

MassLogger log file

ReZer0 packer

Checks computer location settings

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4