Overview

overview

10

Static

static

3

DOCS-16000...24.exe

windows7-x64

10

DOCS-16000...24.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DOCS-1600017889PO400121-2024.exe

  • Size

    439KB

  • Sample

    240112-ynnltsfbb4

  • MD5

    e701d67db9d3705ede459a111ccf89c6

  • SHA1

    f08495fb38e4be8bf6bc445bf7296791d6c4db81

  • SHA256

    4e77b03fc9937ac68121e3121cf062ba0994ba4aa06d2ccde468ce2a91cda61f

  • SHA512

    eec6c54dda15ed582985ff875a091e1b09da7f1965b4fd9febf2eaa4701b73acf671b9a4226c3cd7c725c5eeaab91d144209f0fc12efc35d5e6d3673ccee1869

  • SSDEEP

    12288:EiMpilGo/x8uusxz4Yypk8D8lK+3pvGxuqTypR6snVWvHSb:EiMSGo/x8uus2YyC8olyuqKRnVWu

Score
10/10
azorultguloadercollectiondiscoverydownloaderinfostealerspywarestealertrojan

Malware Config

Targets

    • Target

      DOCS-1600017889PO400121-2024.exe

    • Size

      439KB

    • MD5

      e701d67db9d3705ede459a111ccf89c6

    • SHA1

      f08495fb38e4be8bf6bc445bf7296791d6c4db81

    • SHA256

      4e77b03fc9937ac68121e3121cf062ba0994ba4aa06d2ccde468ce2a91cda61f

    • SHA512

      eec6c54dda15ed582985ff875a091e1b09da7f1965b4fd9febf2eaa4701b73acf671b9a4226c3cd7c725c5eeaab91d144209f0fc12efc35d5e6d3673ccee1869

    • SSDEEP

      12288:EiMpilGo/x8uusxz4Yypk8D8lK+3pvGxuqTypR6snVWvHSb:EiMSGo/x8uus2YyC8olyuqKRnVWu

    Score
    10/10
    azorultguloadercollectiondiscoverydownloaderinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      d968cb2b98b83c03a9f02dd9b8df97dc

    • SHA1

      d784c9b7a92dce58a5038beb62a48ff509e166a0

    • SHA256

      a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

    • SHA512

      2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

    • SSDEEP

      192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks