Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
Resource
win10v2004-20220414-en
General
-
Target
3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
-
Size
582KB
-
MD5
38d328dd86ebad6931208bc20280fcda
-
SHA1
89a9285ea26ff51212e7cbb68cbccfd6c262c296
-
SHA256
3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec
-
SHA512
5b2324b74cec5bf6c2632f453e7dc397a7fcd7f1977f17dd2e085a047f3aed0b1caecc40cbf1b3e0b009b1ec75aa2b2d7872fe91bff574af5b3e4df43f868d94
Malware Config
Extracted
azorult
http://projectkanor.bit/az/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 173.212.234.232 Destination IP 130.255.78.223 Destination IP 151.80.147.153 Destination IP 50.3.82.215 Destination IP 46.101.70.183 Destination IP 5.45.97.127 Destination IP 82.141.39.32 Destination IP 80.233.248.109 Destination IP 91.217.137.44 Destination IP 173.249.7.187 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exedescription pid process target process PID 4912 set thread context of 2404 4912 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exepid process 4912 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exedescription pid process target process PID 4912 wrote to memory of 2404 4912 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe PID 4912 wrote to memory of 2404 4912 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe PID 4912 wrote to memory of 2404 4912 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe"C:\Users\Admin\AppData\Local\Temp\3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exeC:\Users\Admin\AppData\Local\Temp\3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2404-133-0x0000000000000000-mapping.dmp
-
memory/2404-136-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2404-149-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/2404-150-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/2404-151-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/2404-152-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB
-
memory/2404-153-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4912-132-0x00000000022F0000-0x00000000022F7000-memory.dmpFilesize
28KB
-
memory/4912-134-0x0000000077980000-0x0000000077B23000-memory.dmpFilesize
1.6MB