General

  • Target

    87ae3c39a94818fda4f66ddaa98898dfa3bd10190099e6129cb174d1f480eefc

  • Size

    1.2MB

  • Sample

    220701-r6sj6sadc6

  • MD5

    3bcc3b3035993fbd946ac1f61b9128e8

  • SHA1

    0fde7bf38d94d1c6df988cd99bc66a200a4d183f

  • SHA256

    87ae3c39a94818fda4f66ddaa98898dfa3bd10190099e6129cb174d1f480eefc

  • SHA512

    f2968b993deba8a236fb5c8b6af9c49e02aa16163997842942d01c0ca0737de30e526cdf4f7a0e4a91902a5a2a86cc989bff352cb3768ff09179c5d68f567792

Malware Config

Extracted

Family

azorult

C2

http://rodamedd.com/css/index.php

Targets

    • Target

      ATTACHME.EXE

    • Size

      531KB

    • MD5

      33d65b07d476356bdcda270163594db1

    • SHA1

      e7a3bc423f07c5415e2ec8282e00c04eaa2cb008

    • SHA256

      27efbe2e224af5538663051c9a5183bddf283ab5ae5e3207cfb876f9c9445c0f

    • SHA512

      11e19f6475ec236d54ab2ad1bc982eaa4497001436ad47d8057ad6c08b4c0fc4690fe7418cbe71d7e74dc928384346cecec25fd21ce71b9d3f0643406fae65b7

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks