Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 21:25
Static task
static1
Behavioral task
behavioral1
Sample
70993af369c1515d57582eca676ba213.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
70993af369c1515d57582eca676ba213.exe
Resource
win10v2004-20231222-en
General
-
Target
70993af369c1515d57582eca676ba213.exe
-
Size
407KB
-
MD5
70993af369c1515d57582eca676ba213
-
SHA1
6f6b9251bcda2f73733dc969af7f0821617e59a7
-
SHA256
e3d292ce4f5bfec8b177e52504dd03046795938a91b4c00560367e13016e3301
-
SHA512
f824042315362b2c8bfff66e8a3e89e53d1acfd2dd2bd1deb618522a8ddd433df0a0adb7d1ea38bdf0df4a38f3d9085aad438c4a5e2eeb30cab0cf3af2648ed3
-
SSDEEP
6144:rMDmO6XsxLeAEKT8OmGW3TS7moyepYbkA/B5Z+zd:rMUm7qEgkKTZ+R
Malware Config
Extracted
azorult
http://37.0.10.179/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
70993af369c1515d57582eca676ba213.exedescription pid process target process PID 2476 set thread context of 2012 2476 70993af369c1515d57582eca676ba213.exe 70993af369c1515d57582eca676ba213.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
70993af369c1515d57582eca676ba213.exepid process 2476 70993af369c1515d57582eca676ba213.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
70993af369c1515d57582eca676ba213.exedescription pid process target process PID 2476 wrote to memory of 2012 2476 70993af369c1515d57582eca676ba213.exe 70993af369c1515d57582eca676ba213.exe PID 2476 wrote to memory of 2012 2476 70993af369c1515d57582eca676ba213.exe 70993af369c1515d57582eca676ba213.exe PID 2476 wrote to memory of 2012 2476 70993af369c1515d57582eca676ba213.exe 70993af369c1515d57582eca676ba213.exe PID 2476 wrote to memory of 2012 2476 70993af369c1515d57582eca676ba213.exe 70993af369c1515d57582eca676ba213.exe PID 2476 wrote to memory of 2012 2476 70993af369c1515d57582eca676ba213.exe 70993af369c1515d57582eca676ba213.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70993af369c1515d57582eca676ba213.exe"C:\Users\Admin\AppData\Local\Temp\70993af369c1515d57582eca676ba213.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\70993af369c1515d57582eca676ba213.exe"C:\Users\Admin\AppData\Local\Temp\70993af369c1515d57582eca676ba213.exe"2⤵PID:2012