Overview

overview

10

Static

static

10

18CEB0E77F...C7.exe

windows7-x64

10

18CEB0E77F...C7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2024 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18CEB0E77F2F2E55B0CC5790BEB402C7.exe

  • Size

    112KB

  • MD5

    18ceb0e77f2f2e55b0cc5790beb402c7

  • SHA1

    4f74f2570ddc1ea1cd73b73e7c7c0d35a370ee89

  • SHA256

    43b743405388e81ac65dbe9616f5db240fd3181dc05507b20bfcd40e946bc59f

  • SHA512

    36cf6ff583341f9e9a74e140b67015548adff12fa5d10d2984b2ff2d00ec535993abb08da4acb02687665c21d084a8362fa372a34ac341aef201fb1603b9adf2

  • SSDEEP

    3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZClq:faZ1tme++wiD

Score
10/10
azorultcollectiondiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://gigaload.info/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18CEB0E77F2F2E55B0CC5790BEB402C7.exe
    "C:\Users\Admin\AppData\Local\Temp\18CEB0E77F2F2E55B0CC5790BEB402C7.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2236
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "18CEB0E77F2F2E55B0CC5790BEB402C7.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Windows\SysWOW64\timeout.exe
        C:\Windows\system32\timeout.exe 3
        3⤵
        • Delays execution with timeout.exe
        PID:4980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\B7F7AEE4\mozglue.dll
    Filesize

    135KB

    MD5

    9e682f1eb98a9d41468fc3e50f907635

    SHA1

    85e0ceca36f657ddf6547aa0744f0855a27527ee

    SHA256

    830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

    SHA512

    230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B7F7AEE4\msvcp140.dll
    Filesize

    51KB

    MD5

    efbef8e08a4885ff84dda9805ddeb936

    SHA1

    06b95fca34f774811098318d40398976aab778c6

    SHA256

    0e1be5ea1a88c2314daa74fee8b2ef7039be84dd41666cc959ea62da657159cc

    SHA512

    153f3e94bc6c58123bf371d80967d1f5d2086ad79f28778ea03f56a1e08d4c60bed09f79c9ed2914a5d39841938376674fae8c9a7f095fa96b67f49f27b86220

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B7F7AEE4\nss3.dll
    Filesize

    810KB

    MD5

    c3ecd65d5b3fa76e052c861745a4249e

    SHA1

    14cc0c5cba127909cd86392a81c6362af10740ae

    SHA256

    8e9de9536acdc244e09af4d7fd6629fea7ec0cf54e4b110bd60d40549e93bc2d

    SHA512

    56de4390d0078337368dc4fcb5e1d67dfe300d20cba06fbad1e7de540ee4897f222ec2605bef639cffa806c40c5b5a59b4e8418a0c69d5e02da0f9080638a917

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B7F7AEE4\vcruntime140.dll
    Filesize

    81KB

    MD5

    7587bf9cb4147022cd5681b015183046

    SHA1

    f2106306a8f6f0da5afb7fc765cfa0757ad5a628

    SHA256

    c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

    SHA512

    0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

    Download Submit

  • memory/2236-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2236-121-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download