Analysis
-
max time kernel
136s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 16:31
Static task
static1
Behavioral task
behavioral1
Sample
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
Resource
win10v2004-20220414-en
General
-
Target
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
-
Size
528KB
-
MD5
3b6b7b03f527e369eccd197d1f628df1
-
SHA1
8bfecdc47f3425956c051790bfc68a40d3241f19
-
SHA256
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e
-
SHA512
a61b1740865bd61e0782bd445d5fb071a4af704083a9480cafb011b87881cfef84fc011f3e6c5975c79a77438a3ea560f374a6712853fe3fe471956e02e05ec4
Malware Config
Extracted
azorult
http://fishpoultryonline.site/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exedescription pid process target process PID 2472 set thread context of 4540 2472 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exepid process 2472 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exedescription pid process target process PID 2472 wrote to memory of 4540 2472 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe PID 2472 wrote to memory of 4540 2472 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe PID 2472 wrote to memory of 4540 2472 e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe"C:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exeC:\Users\Admin\AppData\Local\Temp\e53e7c18a23025bc98f242ebef59c24220842d0098aae334c9874d59177d026e.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2472-132-0x0000000002230000-0x0000000002237000-memory.dmpFilesize
28KB
-
memory/2472-134-0x0000000002230000-0x0000000002237000-memory.dmpFilesize
28KB
-
memory/2472-135-0x00007FF9CBB50000-0x00007FF9CBD45000-memory.dmpFilesize
2.0MB
-
memory/2472-136-0x00000000777B0000-0x0000000077953000-memory.dmpFilesize
1.6MB
-
memory/4540-133-0x0000000000000000-mapping.dmp
-
memory/4540-138-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4540-137-0x0000000000400000-0x0000000000485000-memory.dmpFilesize
532KB
-
memory/4540-143-0x00000000004D0000-0x00000000004D7000-memory.dmpFilesize
28KB
-
memory/4540-144-0x00007FF9CBB50000-0x00007FF9CBD45000-memory.dmpFilesize
2.0MB
-
memory/4540-145-0x00000000777B0000-0x0000000077953000-memory.dmpFilesize
1.6MB