Resubmissions

27/06/2023, 01:34

230627-by5lrscf89 10

General

  • Target

    69773ff9cddbe895d0c1a7c381e15d81.bin

  • Size

    1.9MB

  • Sample

    230627-by5lrscf89

  • MD5

    27c97e68b6c392717944c9a7f25ed1e8

  • SHA1

    b87edd33ee138156fa016d71462d50ea9fb0c480

  • SHA256

    7c0602f54e0f2a3dac79b6fe48a83cfc6f0d254c7234ac63fdd43a39c9940441

  • SHA512

    11a60c272a5a412ad5443322a3ccc6d7daf338bb75a87a3f7c7c6a8cc13a05062e5cd079bc6c10b424abe5ca2083ed73d78b5e302c6685e071eae553ca57e24a

  • SSDEEP

    49152:d4YKPRLEhGa34hu6nSgXZE8zj0cCl6n5Z6D+VGz/kAen5tyUMp0bz:dV0ir1gXqncm6nfx1nm2

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505.exe

    • Size

      2.0MB

    • MD5

      69773ff9cddbe895d0c1a7c381e15d81

    • SHA1

      15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631

    • SHA256

      fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

    • SHA512

      550f9e02a7f1a1dc3734ba0d86940c2b298cee5890801aeba4f738bb306cdc717a6ecad34e2ebd2c3ac1b0151f2acae7131388f999a30ab9b914c3707a35544e

    • SSDEEP

      49152:NZVlrVqLTyYBYTKiJHZ+guvLN09WIfw8eZrjwMmPK:7hIGKiJk7LN09WKOdMMmy

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks