General
-
Target
DEKONT.exe
-
Size
692KB
-
Sample
230619-nnqfbaef4t
-
MD5
d746909bd4eefe8ad41fd21d9a5f6a39
-
SHA1
7a2034751aef80bcdf349f84fbd70a74c9222fca
-
SHA256
89991a697d8dc678af18d0eb76eea4f8aee2cb1cdd085f0fcdd77698fdb0d8ad
-
SHA512
0587040e9d1de3d9b823ecfb2f5741d0af3743a4c14a3aca8df8e3e5a71e2a97e4156867dad69a9a399cd6ca616371e652d3d1ea183a0e70159b37b7ce9e3d7b
-
SSDEEP
12288:gMwR+3KhVKrZ1mxAQBScGAhBJEwHzMmUpUZsujDOA6vyiNVPaas:gMwR+3WsWbBScGAhdxyu/n6Q
Static task
static1
Behavioral task
behavioral1
Sample
DEKONT.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DEKONT.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
azorult
http://dou3ble.shop/Dbl3/index.php
Targets
-
-
Target
DEKONT.exe
-
Size
692KB
-
MD5
d746909bd4eefe8ad41fd21d9a5f6a39
-
SHA1
7a2034751aef80bcdf349f84fbd70a74c9222fca
-
SHA256
89991a697d8dc678af18d0eb76eea4f8aee2cb1cdd085f0fcdd77698fdb0d8ad
-
SHA512
0587040e9d1de3d9b823ecfb2f5741d0af3743a4c14a3aca8df8e3e5a71e2a97e4156867dad69a9a399cd6ca616371e652d3d1ea183a0e70159b37b7ce9e3d7b
-
SSDEEP
12288:gMwR+3KhVKrZ1mxAQBScGAhBJEwHzMmUpUZsujDOA6vyiNVPaas:gMwR+3WsWbBScGAhdxyu/n6Q
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-