Analysis
-
max time kernel
72s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 16:31
Static task
static1
Behavioral task
behavioral1
Sample
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
Resource
win10v2004-20220414-en
General
-
Target
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
-
Size
528KB
-
MD5
3b6b7b03f527e369eccd197d1f628df1
-
SHA1
8bfecdc47f3425956c051790bfc68a40d3241f19
-
SHA256
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e
-
SHA512
a61b1740865bd61e0782bd445d5fb071a4af704083a9480cafb011b87881cfef84fc011f3e6c5975c79a77438a3ea560f374a6712853fe3fe471956e02e05ec4
Malware Config
Extracted
azorult
http://fishpoultryonline.site/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exedescription pid process target process PID 1644 set thread context of 1568 1644 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exepid process 1644 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exedescription pid process target process PID 1644 wrote to memory of 1568 1644 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe PID 1644 wrote to memory of 1568 1644 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe PID 1644 wrote to memory of 1568 1644 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe PID 1644 wrote to memory of 1568 1644 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe"C:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exeC:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1568-58-0x0000000000474FE4-mapping.dmp
-
memory/1568-64-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1568-63-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/1568-69-0x00000000775B0000-0x0000000077759000-memory.dmpFilesize
1.7MB
-
memory/1568-70-0x0000000077790000-0x0000000077910000-memory.dmpFilesize
1.5MB
-
memory/1568-71-0x00000000001B0000-0x00000000001B7000-memory.dmpFilesize
28KB
-
memory/1568-72-0x0000000077790000-0x0000000077910000-memory.dmpFilesize
1.5MB
-
memory/1644-56-0x0000000000240000-0x0000000000247000-memory.dmpFilesize
28KB
-
memory/1644-57-0x0000000075841000-0x0000000075843000-memory.dmpFilesize
8KB
-
memory/1644-59-0x0000000000240000-0x0000000000247000-memory.dmpFilesize
28KB
-
memory/1644-60-0x00000000775B0000-0x0000000077759000-memory.dmpFilesize
1.7MB
-
memory/1644-61-0x0000000077790000-0x0000000077910000-memory.dmpFilesize
1.5MB