General
-
Target
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033
-
Size
1.6MB
-
Sample
220701-hrycfaaee5
-
MD5
e6f466381d62de836b5a8cf53cf571bb
-
SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103
-
SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033
-
SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c
Malware Config
Extracted
azorult
https://www.interactiveresumebuilder.com/admin/images/icons/FTP/index.php
Extracted
nanocore
1.2.2.0
blackhill.ddns.net:54984
185.125.205.75:54984
c7192853-3ef1-495d-8d9e-aa7345c98e7f
-
activate_away_mode
true
-
backup_connection_host
185.125.205.75
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2018-07-28T15:08:16.000917836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
54984
-
default_group
Lord
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c7192853-3ef1-495d-8d9e-aa7345c98e7f
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
blackhill.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
pony
https://www.interactiveresumebuilder.com/admin/processImage/image/Panel/gate.php
Extracted
formbook
3.9
dt
adelparis.com
maheandco.com
workersoflight.net
lacrosseparts.com
cuzcu.info
respectchoice.net
dietdreambiz.com
lrmduxiufs.biz
kdnbooks.com
gkg8.com
niun.ltd
91socang.com
thaimedicalweed.com
memechapin.com
jennifersclark.com
americanwornjeans.com
cheok.group
theloans.store
ashlyanderson.net
sportsbettingbigdata.com
Targets
-
-
Target
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033
-
Size
1.6MB
-
MD5
e6f466381d62de836b5a8cf53cf571bb
-
SHA1
28f597812740bd57e12ec472f0f6c3ae12b46103
-
SHA256
b67bebd37c39f6f5cc7236ac443f9f095fed4764758735c77317c8896b516033
-
SHA512
0d507cfecc591935b548c1ffc04750f65c1dc8669ec7e0190c0b580a35ecfb9be7ab150f5353dcf1fe8267bce2a16610c70165aadd32895788c8c7ded953562c
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14
-
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6
-
Formbook Payload
-
Executes dropped EXE
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Suspicious use of SetThreadContext
-