General

  • Target

    69773ff9cddbe895d0c1a7c38.exe

  • Size

    2.0MB

  • Sample

    230625-mb6fbsdf83

  • MD5

    69773ff9cddbe895d0c1a7c381e15d81

  • SHA1

    15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631

  • SHA256

    fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

  • SHA512

    550f9e02a7f1a1dc3734ba0d86940c2b298cee5890801aeba4f738bb306cdc717a6ecad34e2ebd2c3ac1b0151f2acae7131388f999a30ab9b914c3707a35544e

  • SSDEEP

    49152:NZVlrVqLTyYBYTKiJHZ+guvLN09WIfw8eZrjwMmPK:7hIGKiJk7LN09WKOdMMmy

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      69773ff9cddbe895d0c1a7c38.exe

    • Size

      2.0MB

    • MD5

      69773ff9cddbe895d0c1a7c381e15d81

    • SHA1

      15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631

    • SHA256

      fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

    • SHA512

      550f9e02a7f1a1dc3734ba0d86940c2b298cee5890801aeba4f738bb306cdc717a6ecad34e2ebd2c3ac1b0151f2acae7131388f999a30ab9b914c3707a35544e

    • SSDEEP

      49152:NZVlrVqLTyYBYTKiJHZ+guvLN09WIfw8eZrjwMmPK:7hIGKiJk7LN09WKOdMMmy

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks