azorult

General

Target

3396-163-0x0000000000400000-0x0000000000478000-memory.dmp
Size

480KB
Sample

230413-pnhwxacf9x
MD5

070e46344fcc3a7a722fd6745408cdcc
SHA1

9afa1bbe5dee48e79eae90aaafee823991f5836d
SHA256

a13ea1a09f95ced54eecb9f465840d08084ece6af94428a1a0d0a2d2ef717e67
SHA512

61fc61f0f518211f9e26724f10a54e4fd0fa15830ef63a16c3fb908325543ae737c1eab8c4a97e6a1948f9ca7f21e2af7cd78b63174e7eec425ace475bc699fd
SSDEEP

6144:5aO1tme++wif8rNHXf500MOduQNqS6HSTI6Mqbg64hX7buIMVT5uA:AO1tTdmd50okQNq6Uxx5bhMVVuA

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://dblg023.shop/bill1/index.php

Extracted

Family

quasar

Version

1.3.0.0

Botnet

APR

C2

19ap22.duckdns.org:100

Mutex

QSR_MUTEX_KuRNqiBWI63hLvM1k8

Attributes

encryption_key
TMHR4yuB8MoZH2RLARpT
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  3396-163-0x0000000000400000-0x0000000000478000-memory.dmp
- Size
  
  480KB
- MD5
  
  070e46344fcc3a7a722fd6745408cdcc
- SHA1
  
  9afa1bbe5dee48e79eae90aaafee823991f5836d
- SHA256
  
  a13ea1a09f95ced54eecb9f465840d08084ece6af94428a1a0d0a2d2ef717e67
- SHA512
  
  61fc61f0f518211f9e26724f10a54e4fd0fa15830ef63a16c3fb908325543ae737c1eab8c4a97e6a1948f9ca7f21e2af7cd78b63174e7eec425ace475bc699fd
- SSDEEP
  
  6144:5aO1tme++wif8rNHXf500MOduQNqS6HSTI6Mqbg64hX7buIMVT5uA:AO1tTdmd50okQNq6Uxx5bhMVVuA
Score

10^/10

azorult quasar apr collection discovery infostealer spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

5

T1081

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

5

T1005

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Quasar RAT

Quasar payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2