Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PURCHASE ORDER.exe

  • Size

    158KB

  • Sample

    230323-sa124sac9s

  • MD5

    ce84573aa1706cc43cc2fea8a1c98447

  • SHA1

    71af640bba2e156311b277f62faa49af184a864b

  • SHA256

    4be5fa9ac61777638bf7550de77fffee6aa150b0e5c55612753f5fe3d931d885

  • SHA512

    e0bb1ab721099aec4ff92c550460e94cc8ef9662a2f44ac977f793bd5d8633b0969ae5c502b2f8dcffb1710f55e63672709a4cab2d4e86a530ed70209bb17aa1

  • SSDEEP

    3072:Gc+LTYERpkurjMNT8dG8LiykZrFMM/j0dRDaUmwb:kLTYm3XsGG8uykxjsDaUmw

Malware Config

Extracted

Family

azorult

C2

http://34.217.22.124/index.php

Targets

    • Target

      PURCHASE ORDER.exe

    • Size

      158KB

    • MD5

      ce84573aa1706cc43cc2fea8a1c98447

    • SHA1

      71af640bba2e156311b277f62faa49af184a864b

    • SHA256

      4be5fa9ac61777638bf7550de77fffee6aa150b0e5c55612753f5fe3d931d885

    • SHA512

      e0bb1ab721099aec4ff92c550460e94cc8ef9662a2f44ac977f793bd5d8633b0969ae5c502b2f8dcffb1710f55e63672709a4cab2d4e86a530ed70209bb17aa1

    • SSDEEP

      3072:Gc+LTYERpkurjMNT8dG8LiykZrFMM/j0dRDaUmwb:kLTYm3XsGG8uykxjsDaUmw

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks