General
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
306KB
-
Sample
230322-xmglfsag35
-
MD5
cf47c2b7b611c50fa3cd5f8c8f3e58de
-
SHA1
4d980c2a0737f786e1af27b3209ee43a85ecda35
-
SHA256
04ba3baec724f334ca46c373f3035a2e2aa98e62a64adca36ef014807dab22bc
-
SHA512
83bf0ee5b3f8a68fefa77e522a62e9503ff16c649e2ee66cf997ca1012e4b6305da09d73fd820d6e332b424fd0a71b7c63f68007cbae7c474a559629a0337310
-
SSDEEP
6144:hT5UzmxUKhkmb9KWHEWnZytz9PEcC13UachPcGb+dEpTadRWVZMlNb:hT55DrbMBiFG9+SpmRWVZC
Static task
static1
Behavioral task
behavioral1
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Ziraat Bankasi Swift Mesaji.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
azorult
http://logit88.shop/L324/index.php
Targets
-
-
Target
Ziraat Bankasi Swift Mesaji.exe
-
Size
306KB
-
MD5
cf47c2b7b611c50fa3cd5f8c8f3e58de
-
SHA1
4d980c2a0737f786e1af27b3209ee43a85ecda35
-
SHA256
04ba3baec724f334ca46c373f3035a2e2aa98e62a64adca36ef014807dab22bc
-
SHA512
83bf0ee5b3f8a68fefa77e522a62e9503ff16c649e2ee66cf997ca1012e4b6305da09d73fd820d6e332b424fd0a71b7c63f68007cbae7c474a559629a0337310
-
SSDEEP
6144:hT5UzmxUKhkmb9KWHEWnZytz9PEcC13UachPcGb+dEpTadRWVZMlNb:hT55DrbMBiFG9+SpmRWVZC
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-