General

  • Target

    Order R04-T4077 TBA-2022, pdf.exe

  • Size

    186KB

  • Sample

    220926-jzeqqsaab8

  • MD5

    c42bff2b027d01641cac47b363eaef63

  • SHA1

    deb49ead9c64f834db57f7a5704321a7e684346e

  • SHA256

    eb165382dbcc999a719a7f61a2c23b823eb2d89fc7648330065983586dc9a869

  • SHA512

    591fea6ef966b327cca92fdbd13f7ac3de9740827774660dc7c758989765a6b6a81fffd3863c74b10550ab14ff3cc2a075b54c67061d86e08c2e1d9d871aa86b

  • SSDEEP

    3072:yjFa0SeOyAVq3Vlfv+ZODb4941BVrJsQqe+/UajFVpCxBVOzyVjq:ASyAVEVGqkS1hsQqe+/xrI

Malware Config

Extracted

Family

azorult

C2

http://bl3ds2.shop/PL341/index.php

Targets

    • Target

      Order R04-T4077 TBA-2022, pdf.exe

    • Size

      186KB

    • MD5

      c42bff2b027d01641cac47b363eaef63

    • SHA1

      deb49ead9c64f834db57f7a5704321a7e684346e

    • SHA256

      eb165382dbcc999a719a7f61a2c23b823eb2d89fc7648330065983586dc9a869

    • SHA512

      591fea6ef966b327cca92fdbd13f7ac3de9740827774660dc7c758989765a6b6a81fffd3863c74b10550ab14ff3cc2a075b54c67061d86e08c2e1d9d871aa86b

    • SSDEEP

      3072:yjFa0SeOyAVq3Vlfv+ZODb4941BVrJsQqe+/UajFVpCxBVOzyVjq:ASyAVEVGqkS1hsQqe+/xrI

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Tasks