General

  • Target

    871f56d3769e4019ebd21435d6b4ee35af7e1ad2ae8c46cc8faaed1545317c11_JC.exe

  • Size

    586KB

  • Sample

    230912-qgf96scg4y

  • MD5

    633674661a6ccfe8a4507da0611a5496

  • SHA1

    cbafbd723bfbdad26d421bbe5a3811d3085049ae

  • SHA256

    871f56d3769e4019ebd21435d6b4ee35af7e1ad2ae8c46cc8faaed1545317c11

  • SHA512

    e3959d8d5d80a922c212e92330fbdbe68aa3f8172c89692d33c90796949c3e65b04235d0f20b6d67c799daa2ec9adf7fac0fc5a6cd1b32bcd74d0f2ff778202f

  • SSDEEP

    6144:SgORa6xKTuuuqjL7IMLeSd4SWTaHAuiENc9NIlF1HViRTJWUi4+OJil1AhG:Sgm/SaPGNEVRT/TWP

Malware Config

Targets

    • Target

      871f56d3769e4019ebd21435d6b4ee35af7e1ad2ae8c46cc8faaed1545317c11_JC.exe

    • Size

      586KB

    • MD5

      633674661a6ccfe8a4507da0611a5496

    • SHA1

      cbafbd723bfbdad26d421bbe5a3811d3085049ae

    • SHA256

      871f56d3769e4019ebd21435d6b4ee35af7e1ad2ae8c46cc8faaed1545317c11

    • SHA512

      e3959d8d5d80a922c212e92330fbdbe68aa3f8172c89692d33c90796949c3e65b04235d0f20b6d67c799daa2ec9adf7fac0fc5a6cd1b32bcd74d0f2ff778202f

    • SSDEEP

      6144:SgORa6xKTuuuqjL7IMLeSd4SWTaHAuiENc9NIlF1HViRTJWUi4+OJil1AhG:Sgm/SaPGNEVRT/TWP

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks