azorult

General

Target

cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
Size

894KB
Sample

220725-evwq8seebn
MD5

e4c6c1ca703d77b521ace023bee2df08
SHA1

61e97bd5a83c7b264af225d2b75eef4bd07d5b93
SHA256

cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
SHA512

61007ce908055fe3f1e07d9ee9f7c40dd232f5de87b924552a5090622870a95d51e4c2b8e6312dd086c0bdeed668e40119c61dfc195d609595fa98652d67c705

Score

10^/10

Malware Config

Extracted

Family

vidar

Version

18.2

Botnet

543

C2

http://barjamanis.com/

Attributes

profile_id
543

Extracted

Family

azorult

C2

http://23.106.124.148/index.php

Targets

- Target
  
  cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
- Size
  
  894KB
- MD5
  
  e4c6c1ca703d77b521ace023bee2df08
- SHA1
  
  61e97bd5a83c7b264af225d2b75eef4bd07d5b93
- SHA256
  
  cbcd2fbfc1453a2df726c3801dd176bf06b92c59cd664b9298ea6746b35bfc67
- SHA512
  
  61007ce908055fe3f1e07d9ee9f7c40dd232f5de87b924552a5090622870a95d51e4c2b8e6312dd086c0bdeed668e40119c61dfc195d609595fa98652d67c705
Score

10^/10

azorult vidar 543 discovery infostealer persistence spyware stealer suricata trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
  suricata
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
  suricata
- suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- Vidar Stealer
  stealer
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2