General
-
Target
3396-163-0x0000000000400000-0x0000000000478000-memory.dmp
-
Size
480KB
-
Sample
230413-pnhwxacf9x
-
MD5
070e46344fcc3a7a722fd6745408cdcc
-
SHA1
9afa1bbe5dee48e79eae90aaafee823991f5836d
-
SHA256
a13ea1a09f95ced54eecb9f465840d08084ece6af94428a1a0d0a2d2ef717e67
-
SHA512
61fc61f0f518211f9e26724f10a54e4fd0fa15830ef63a16c3fb908325543ae737c1eab8c4a97e6a1948f9ca7f21e2af7cd78b63174e7eec425ace475bc699fd
-
SSDEEP
6144:5aO1tme++wif8rNHXf500MOduQNqS6HSTI6Mqbg64hX7buIMVT5uA:AO1tTdmd50okQNq6Uxx5bhMVVuA
Behavioral task
behavioral1
Sample
3396-163-0x0000000000400000-0x0000000000478000-memory.exe
Resource
win7-20230220-en
Malware Config
Extracted
azorult
http://dblg023.shop/bill1/index.php
Extracted
quasar
1.3.0.0
APR
19ap22.duckdns.org:100
QSR_MUTEX_KuRNqiBWI63hLvM1k8
-
encryption_key
TMHR4yuB8MoZH2RLARpT
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
3396-163-0x0000000000400000-0x0000000000478000-memory.dmp
-
Size
480KB
-
MD5
070e46344fcc3a7a722fd6745408cdcc
-
SHA1
9afa1bbe5dee48e79eae90aaafee823991f5836d
-
SHA256
a13ea1a09f95ced54eecb9f465840d08084ece6af94428a1a0d0a2d2ef717e67
-
SHA512
61fc61f0f518211f9e26724f10a54e4fd0fa15830ef63a16c3fb908325543ae737c1eab8c4a97e6a1948f9ca7f21e2af7cd78b63174e7eec425ace475bc699fd
-
SSDEEP
6144:5aO1tme++wif8rNHXf500MOduQNqS6HSTI6Mqbg64hX7buIMVT5uA:AO1tTdmd50okQNq6Uxx5bhMVVuA
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-