General

  • Target

    3b3a6ce0161991703ab6ff28e4b22e5934550f4c5573dcf61d1ed6a7e31253cd

  • Size

    316KB

  • Sample

    220703-vqz6vsbha8

  • MD5

    1ec4a26ad4d59b67be78e29ba18a7fcd

  • SHA1

    ba1b8f9b3797628c726f18386be009b28f0976b3

  • SHA256

    3b3a6ce0161991703ab6ff28e4b22e5934550f4c5573dcf61d1ed6a7e31253cd

  • SHA512

    2c990d90f804716ede668c4816b0a1661b4d0db4182a54c1a61727f8ff7fa8bdc23b3df79d543d0611fdf91a0c2c070fce2d5824a905d958c594e5abee13728c

Malware Config

Extracted

Family

azorult

C2

http://89.33.246.103/Panel/index.php

Targets

    • Target

      3b3a6ce0161991703ab6ff28e4b22e5934550f4c5573dcf61d1ed6a7e31253cd

    • Size

      316KB

    • MD5

      1ec4a26ad4d59b67be78e29ba18a7fcd

    • SHA1

      ba1b8f9b3797628c726f18386be009b28f0976b3

    • SHA256

      3b3a6ce0161991703ab6ff28e4b22e5934550f4c5573dcf61d1ed6a7e31253cd

    • SHA512

      2c990d90f804716ede668c4816b0a1661b4d0db4182a54c1a61727f8ff7fa8bdc23b3df79d543d0611fdf91a0c2c070fce2d5824a905d958c594e5abee13728c

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks