Analysis
-
max time kernel
111s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 09:26
Static task
static1
Behavioral task
behavioral1
Sample
66c34710efa2a99389423f628d9acf8f.bin.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
66c34710efa2a99389423f628d9acf8f.bin.exe
Resource
win10v2004-20220901-en
General
-
Target
66c34710efa2a99389423f628d9acf8f.bin.exe
-
Size
813KB
-
MD5
66c34710efa2a99389423f628d9acf8f
-
SHA1
0d22f8ff37b21519ca76c513a0eee998cd098fc9
-
SHA256
f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
-
SHA512
0705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
SSDEEP
12288:9pS831gCYWywOWxAksig+/UZ6BN6wnapCP0pszUR5Mi0JYNjnaG9OYqQw:JOcFxAksig+1B3n2C8WzURKc7aQw
Malware Config
Extracted
azorult
http://billi.webhop.me/a/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
Processes:
billioe.exebillioe.exepid process 1344 billioe.exe 3916 billioe.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
billioe.exedescription pid process target process PID 1344 set thread context of 3916 1344 billioe.exe billioe.exe -
NTFS ADS 1 IoCs
Processes:
66c34710efa2a99389423f628d9acf8f.bin.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe:ZoneIdentifier 66c34710efa2a99389423f628d9acf8f.bin.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
66c34710efa2a99389423f628d9acf8f.bin.exebillioe.exepid process 1688 66c34710efa2a99389423f628d9acf8f.bin.exe 1688 66c34710efa2a99389423f628d9acf8f.bin.exe 1344 billioe.exe 1344 billioe.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
billioe.exepid process 1344 billioe.exe 1344 billioe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
66c34710efa2a99389423f628d9acf8f.bin.exebillioe.exedescription pid process target process PID 1688 wrote to memory of 1344 1688 66c34710efa2a99389423f628d9acf8f.bin.exe billioe.exe PID 1688 wrote to memory of 1344 1688 66c34710efa2a99389423f628d9acf8f.bin.exe billioe.exe PID 1688 wrote to memory of 1344 1688 66c34710efa2a99389423f628d9acf8f.bin.exe billioe.exe PID 1344 wrote to memory of 3916 1344 billioe.exe billioe.exe PID 1344 wrote to memory of 3916 1344 billioe.exe billioe.exe PID 1344 wrote to memory of 3916 1344 billioe.exe billioe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\66c34710efa2a99389423f628d9acf8f.bin.exe"C:\Users\Admin\AppData\Local\Temp\66c34710efa2a99389423f628d9acf8f.bin.exe"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exeFilesize
813KB
MD566c34710efa2a99389423f628d9acf8f
SHA10d22f8ff37b21519ca76c513a0eee998cd098fc9
SHA256f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
SHA5120705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exeFilesize
813KB
MD566c34710efa2a99389423f628d9acf8f
SHA10d22f8ff37b21519ca76c513a0eee998cd098fc9
SHA256f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
SHA5120705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exeFilesize
813KB
MD566c34710efa2a99389423f628d9acf8f
SHA10d22f8ff37b21519ca76c513a0eee998cd098fc9
SHA256f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
SHA5120705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
memory/1344-133-0x0000000000000000-mapping.dmp
-
memory/1344-138-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1688-132-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/3916-136-0x0000000000000000-mapping.dmp
-
memory/3916-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB