General

  • Target

    cb8a7799a825e8f8c98076a9fefadf4d.exe

  • Size

    544KB

  • Sample

    230918-dy66pshc55

  • MD5

    cb8a7799a825e8f8c98076a9fefadf4d

  • SHA1

    38378347ed6b524558f1a44bbde0961cee0a51ee

  • SHA256

    4c892de4082bc8e96eec96636cbc22092d2c9542eb5b322b6652e0a142c19c6d

  • SHA512

    21f891a7f955817e1e8fec37e1f2bb82f9b6b842a24d120f36c8fe424c2da201482888a985231eb0d2d8f69e83cabc094c89f0c03149bccfc8c2050ac917abea

  • SSDEEP

    12288:FYVAfDuHOXkabGmyhGKScM73stZpiVzhqJ7WD:FYVgbbxyAKScZ3iKJ

Malware Config

Extracted

Family

azorult

C2

http://185.28.39.18:7777/asiamandarin.buzz/deval/index.php

Targets

    • Target

      cb8a7799a825e8f8c98076a9fefadf4d.exe

    • Size

      544KB

    • MD5

      cb8a7799a825e8f8c98076a9fefadf4d

    • SHA1

      38378347ed6b524558f1a44bbde0961cee0a51ee

    • SHA256

      4c892de4082bc8e96eec96636cbc22092d2c9542eb5b322b6652e0a142c19c6d

    • SHA512

      21f891a7f955817e1e8fec37e1f2bb82f9b6b842a24d120f36c8fe424c2da201482888a985231eb0d2d8f69e83cabc094c89f0c03149bccfc8c2050ac917abea

    • SSDEEP

      12288:FYVAfDuHOXkabGmyhGKScM73stZpiVzhqJ7WD:FYVgbbxyAKScZ3iKJ

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks