Overview

overview

10

Static

static

DBS-6700H.exe

windows7_x64

10

DBS-6700H.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e11081c171af696f836436896183360e879ef7f697e3acd767f55128ed6f1df0

  • Size

    221KB

  • Sample

    220521-ny1zsshdhn

  • MD5

    0ba4194ca2b91788547eabac3c11b7ce

  • SHA1

    61c97ac3fa02ddbd7a3f616cbdee392976272bd7

  • SHA256

    e11081c171af696f836436896183360e879ef7f697e3acd767f55128ed6f1df0

  • SHA512

    8b3cf36813d5f46b25d513625fdf9e135ddf5ee53b255311fc0fdb1eb32e964cbf3cfe6340ac628ddbcab6848e3170f378385761b924525d91daca1b4a7bc1b2

Score
10/10
azorultevasioninfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://waterchem.com.tr/css/Panel/index.php

Targets

    • Target

      DBS-6700H.exe

    • Size

      293KB

    • MD5

      5abb6d53b7598faa6d7642d44bde0a49

    • SHA1

      32c06b8fdbc2380441a5adba40bb933f045a1da5

    • SHA256

      766195863e4ab2ce2b2b2b61018fdd5409a4da51ca7fe0c392ae442f39631780

    • SHA512

      431e7b10c8f45b91068bae3f5df48aedea48aef2fbacc3d001ff3886682bbf5a2a8b7cdd9bb8286cf5bd5dde6eaa049e27336177adfb6304d888dec39e315a5c

    Score
    10/10
    azorultevasioninfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Uses the VBS compiler for execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Scripting

1
T1064

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks