General

  • Target

    Dekont.exe

  • Size

    719KB

  • Sample

    230622-gvwscacg97

  • MD5

    6600a72fd5d02c1320c5089d07b3353b

  • SHA1

    68aaa5b59742f4ab6e916475ef0774c584efba75

  • SHA256

    8bc44267a36df18fcd02676cabaab5a82156ceca8abfd373192707a3b554f38a

  • SHA512

    4f5e98eff2a46fc608125b1f7daf6cae9cea69a4406ceec39802297b6d783d07c05c98e70cb7fcab2c8188205b7b26c84e74ad463ce7a3dc0e29962daa6f0961

  • SSDEEP

    12288:gMwR5LgTASPyjenGXtxZ162EVShywiWtkI7T9B68NSOV+BYiTgRUKNMCW/3K:gMwR5LgTASPi5d1hyqGI7xBHNSRBYict

Malware Config

Extracted

Family

azorult

C2

http://kngppdp.shop/Dbl3/index.php

Targets

    • Target

      Dekont.exe

    • Size

      719KB

    • MD5

      6600a72fd5d02c1320c5089d07b3353b

    • SHA1

      68aaa5b59742f4ab6e916475ef0774c584efba75

    • SHA256

      8bc44267a36df18fcd02676cabaab5a82156ceca8abfd373192707a3b554f38a

    • SHA512

      4f5e98eff2a46fc608125b1f7daf6cae9cea69a4406ceec39802297b6d783d07c05c98e70cb7fcab2c8188205b7b26c84e74ad463ce7a3dc0e29962daa6f0961

    • SSDEEP

      12288:gMwR5LgTASPyjenGXtxZ162EVShywiWtkI7T9B68NSOV+BYiTgRUKNMCW/3K:gMwR5LgTASPi5d1hyqGI7xBHNSRBYict

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks