General

  • Target

    a8067b03ec32dc5f5a21cb6db6cb8beba43aa0e3fb7070d5eadd75599ef37856

  • Size

    1.2MB

  • Sample

    220701-r5yd2aggbn

  • MD5

    71a0d311da42dbf96308658924ae3533

  • SHA1

    98c3ea72b6187400b04376d57e46754c74307006

  • SHA256

    a8067b03ec32dc5f5a21cb6db6cb8beba43aa0e3fb7070d5eadd75599ef37856

  • SHA512

    7c01a3049335a7f21328b7c316a2fc1f2bdb84d38c902beafd28a81358591da661735090a815ab109b806d6a5f11fda02f06cc6c33c95e592533fcc513d1fd97

Malware Config

Extracted

Family

azorult

C2

http://lawantumorotak.com/img/index.php

Targets

    • Target

      ATTACHEM.EXE

    • Size

      529KB

    • MD5

      84a9e3f3782f6c6e8a8d53ea4822bce7

    • SHA1

      fdf97e6f3455ebd935e56da73c7a181f4ffe0212

    • SHA256

      38a689e3cfe024cf53d07e3f6830da32c836c4c06c96478fda9a36e22d540a9c

    • SHA512

      288e884e274ad365d75334e59a8e97839f608525f7af7854c69c5e0c6665157aec3b4b4034e6c4f7e8338191a72f0df1865f3d248aea14ff2f6474c97d0fef42

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks