Analysis
-
max time kernel
77s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2022 13:07
Static task
static1
Behavioral task
behavioral1
Sample
7wAqUaXsi8jTb8r.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7wAqUaXsi8jTb8r.exe
Resource
win10v2004-20220901-en
General
-
Target
7wAqUaXsi8jTb8r.exe
-
Size
1012KB
-
MD5
90fe342646a08263931a07e4f0817813
-
SHA1
8abab45311c7e6fcc6f78d404d2248e9118d6676
-
SHA256
81f8e0cce3b04d42b311bf8a47633562a12f7286657a8ae9d09449430df9a338
-
SHA512
cbc0924c1cb643a65943643bccedc6165f8dd6cd20a34630a8d9f4d32bc06b91bfde2456402c94f1c08e40faa9bd54b899f8263d7eedcbb6aa00abb20f97402b
-
SSDEEP
12288:uqvmfw2iN4/yd24gkwCMLRhQbjNpmwJ8kjlBLQVvKAeRNZtuFCitm6LnEmWT2/:uqeo1CV4gVRSmwJF3LQ8RYm6LEmWc
Malware Config
Extracted
azorult
http://bl3ds2.shop/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7wAqUaXsi8jTb8r.exedescription pid process target process PID 3588 set thread context of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7wAqUaXsi8jTb8r.exedescription pid process target process PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe PID 3588 wrote to memory of 4372 3588 7wAqUaXsi8jTb8r.exe 7wAqUaXsi8jTb8r.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7wAqUaXsi8jTb8r.exe"C:\Users\Admin\AppData\Local\Temp\7wAqUaXsi8jTb8r.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7wAqUaXsi8jTb8r.exe"C:\Users\Admin\AppData\Local\Temp\7wAqUaXsi8jTb8r.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3588-132-0x0000000000630000-0x0000000000734000-memory.dmpFilesize
1.0MB
-
memory/3588-133-0x00000000056F0000-0x0000000005C94000-memory.dmpFilesize
5.6MB
-
memory/3588-134-0x0000000005140000-0x00000000051D2000-memory.dmpFilesize
584KB
-
memory/3588-135-0x00000000050E0000-0x00000000050EA000-memory.dmpFilesize
40KB
-
memory/3588-136-0x0000000008E30000-0x0000000008ECC000-memory.dmpFilesize
624KB
-
memory/3588-137-0x0000000008F40000-0x0000000008FA6000-memory.dmpFilesize
408KB
-
memory/4372-138-0x0000000000000000-mapping.dmp
-
memory/4372-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4372-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4372-142-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/4372-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB