azorult

General

Target

d9f420d6ae39e30825e8ef9d19de7204.exe.vir
Size

16.4MB
Sample

220811-r2qvsaafg4
MD5

d9f420d6ae39e30825e8ef9d19de7204
SHA1

08dad6bb3bd0d5c16fed72474a5fbb063e9c777c
SHA256

00effc10227f68df3ef638aa733c2508efcf9c24acdad9699ba3b0301bd03f33
SHA512

c45729fca2810f76a4c7a0338943ce4f4a4ed3e94224d0323c0422225f87c89aa61d5dd88599f42c356dfaec15a50da73c3bfcd9c2d5a5574a966d5d4ebce3b9

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

Netcaps

C2

15.235.171.56:30730

Attributes

auth_value
df9ffa855d7c838dcb4a6346f50a76fb

Extracted

Family

socelars

C2

https://hueduy.s3.eu-west-1.amazonaws.com/gdyhf805/

Extracted

Family

raccoon

Botnet

9ff0d3252fc925e8866300fd0964f332

C2

http://51.195.166.176

rc4.plain

Targets

- Target
  
  d9f420d6ae39e30825e8ef9d19de7204.exe.vir
- Size
  
  16.4MB
- MD5
  
  d9f420d6ae39e30825e8ef9d19de7204
- SHA1
  
  08dad6bb3bd0d5c16fed72474a5fbb063e9c777c
- SHA256
  
  00effc10227f68df3ef638aa733c2508efcf9c24acdad9699ba3b0301bd03f33
- SHA512
  
  c45729fca2810f76a4c7a0338943ce4f4a4ed3e94224d0323c0422225f87c89aa61d5dd88599f42c356dfaec15a50da73c3bfcd9c2d5a5574a966d5d4ebce3b9
Score

10^/10

azorult pony raccoon redline socelars 9ff0d3252fc925e8866300fd0964f332 netcaps collection discovery infostealer rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Raccoon Stealer payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2