azorult

General

Target

orden_21002_pdf.vbs
Size

104KB
Sample

230301-xmh5aahc5v
MD5

4c23f122b79aea1ddc7f3fad57be19bc
SHA1

ffe08516f78803c82fe5f99b75aefd0488158957
SHA256

b4233a5f58161b20d27b87ec17701492601ba4d932513c9d22eb8f8b5ac34b76
SHA512

cf479b9ab1369ff85ba1026270042679b8ad7db577d1d01e037e4de01f7c6fb13a2d2497586f3ac63a8267d9dbebe6bb61900ba4fb09ff14001dd6ddb21ed47b
SSDEEP

3072:4M1vA5gZASC5xVeqlGHGw5fCm0eYW/G4xzZoXyxdKpXRR:4evvZkp90NoCvKJRR

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://185.29.10.113/Mugep.xtp

Extracted

Family

azorult

C2

http://46.183.222.115/Roth1/Panel/index.php

Targets

- Target
  
  orden_21002_pdf.vbs
- Size
  
  104KB
- MD5
  
  4c23f122b79aea1ddc7f3fad57be19bc
- SHA1
  
  ffe08516f78803c82fe5f99b75aefd0488158957
- SHA256
  
  b4233a5f58161b20d27b87ec17701492601ba4d932513c9d22eb8f8b5ac34b76
- SHA512
  
  cf479b9ab1369ff85ba1026270042679b8ad7db577d1d01e037e4de01f7c6fb13a2d2497586f3ac63a8267d9dbebe6bb61900ba4fb09ff14001dd6ddb21ed47b
- SSDEEP
  
  3072:4M1vA5gZASC5xVeqlGHGw5fCm0eYW/G4xzZoXyxdKpXRR:4evvZkp90NoCvKJRR
Score

10^/10

azorult guloader downloader infostealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Blocklisted process makes network request
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Guloader,Cloudeye

Blocklisted process makes network request

Checks QEMU agent file

Checks computer location settings

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2