General
-
Target
e23b02933713f31e9160876340846eefe729da5f223419946273e4fe8420d0e4
-
Size
11.0MB
-
Sample
220524-dt7lnsdhb2
-
MD5
cbf2bda7d17eb73f8187ec391ce9b0b3
-
SHA1
ddb15f2a95512868e8fc158c218f3f6afd4bf3a1
-
SHA256
e23b02933713f31e9160876340846eefe729da5f223419946273e4fe8420d0e4
-
SHA512
9902658f35f0631023b4043a712e6472396e18245f08203d659cc516e03750caf86f7cae873230e9e1100514386c10af0234c32402f2bbd38ac4043bc4bc6ce9
Static task
static1
Behavioral task
behavioral1
Sample
e23b02933713f31e9160876340846eefe729da5f223419946273e4fe8420d0e4.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e23b02933713f31e9160876340846eefe729da5f223419946273e4fe8420d0e4.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Targets
-
-
Target
e23b02933713f31e9160876340846eefe729da5f223419946273e4fe8420d0e4
-
Size
11.0MB
-
MD5
cbf2bda7d17eb73f8187ec391ce9b0b3
-
SHA1
ddb15f2a95512868e8fc158c218f3f6afd4bf3a1
-
SHA256
e23b02933713f31e9160876340846eefe729da5f223419946273e4fe8420d0e4
-
SHA512
9902658f35f0631023b4043a712e6472396e18245f08203d659cc516e03750caf86f7cae873230e9e1100514386c10af0234c32402f2bbd38ac4043bc4bc6ce9
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
MITRE ATT&CK Enterprise v6
Persistence
Account Manipulation
1Hidden Files and Directories
2Modify Existing Service
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1