General
-
Target
c04ab7d36b2e6e8175fe2e0fa8dccf14.bin
-
Size
1.0MB
-
Sample
231225-cefc7saffp
-
MD5
b3ccb6a8bc5757579d94eb4c5f3fd29d
-
SHA1
86687b5a7cfb127cf3f4681e9520c9f728586ce8
-
SHA256
f46b5a20bbcff8379332d912fe03e03274a3d05621a33b7c46b9fe8e95623730
-
SHA512
8bf4134d143071c74052e8208208baa15814beafa5ece008830ec74b1e66f54ae3fd0b583c0e4d6d9f99876449caaafde560056c4305b034cb2839a74470026f
-
SSDEEP
24576:7Trgk8iIwr2p0YNAMlLNUj1ljlF72s6hVpba:7Tt8vwr2uYCMron7YH2
Behavioral task
behavioral1
Sample
bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Targets
-
-
Target
bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
-
Size
2.0MB
-
MD5
c04ab7d36b2e6e8175fe2e0fa8dccf14
-
SHA1
6516b7e30fc92ced182230288726e517251db430
-
SHA256
bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
-
SHA512
c3bc065567b5d302c62c83a67426e465a7000aca9a99d3169c488d54ed9824972e327846109af12314d25ab10180c370468c63b11eb05aac1b3bed7d2110d753
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-