Analysis
-
max time kernel
111s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
30-11-2022 09:26
General
-
Target
66c34710efa2a99389423f628d9acf8f.bin.exe
-
Size
813KB
-
MD5
66c34710efa2a99389423f628d9acf8f
-
SHA1
0d22f8ff37b21519ca76c513a0eee998cd098fc9
-
SHA256
f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
-
SHA512
0705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
SSDEEP
12288:9pS831gCYWywOWxAksig+/UZ6BN6wnapCP0pszUR5Mi0JYNjnaG9OYqQw:JOcFxAksig+1B3n2C8WzURKc7aQw
Malware Config
Extracted
azorult
http://billi.webhop.me/a/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\66c34710efa2a99389423f628d9acf8f.bin.exe"C:\Users\Admin\AppData\Local\Temp\66c34710efa2a99389423f628d9acf8f.bin.exe"1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"C:\Users\Admin\AppData\Roaming\billiorb\billioe.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exeFilesize
813KB
MD566c34710efa2a99389423f628d9acf8f
SHA10d22f8ff37b21519ca76c513a0eee998cd098fc9
SHA256f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
SHA5120705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exeFilesize
813KB
MD566c34710efa2a99389423f628d9acf8f
SHA10d22f8ff37b21519ca76c513a0eee998cd098fc9
SHA256f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
SHA5120705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
C:\Users\Admin\AppData\Roaming\billiorb\billioe.exeFilesize
813KB
MD566c34710efa2a99389423f628d9acf8f
SHA10d22f8ff37b21519ca76c513a0eee998cd098fc9
SHA256f2548df2e5468593394ec6ac99012131d2723f88f2e35c89f41f533a78c68330
SHA5120705cf05c72948b5661252201ec4163e800c4465e82bc3b775c4c71abe81aa25000788299571fad4679afdb0fca28fc62f2bc24ae1d150d3375679431f09a2a6
-
memory/1344-133-0x0000000000000000-mapping.dmp
-
memory/1344-138-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1688-132-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/3916-136-0x0000000000000000-mapping.dmp
-
memory/3916-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB