azorult

Sharing

Copy URL

Twitter E-mail

General

Target

d9e3c8350875e4f0e74d207351f5db02cfb0e5edd0b62743c38343e38e981727
Size

622KB
Sample

240208-rw4jpagb66
MD5

9aae07beb10162a2d525dd3aad707e26
SHA1

387c1cd54061a21941b366d15700c462c5cd2e96
SHA256

d9e3c8350875e4f0e74d207351f5db02cfb0e5edd0b62743c38343e38e981727
SHA512

f31c57173a48db8620dd952bc0180aa6557a0a656e0df6168b5c62eae39fa90547ef350fde10b747bc2c4996c6e22f7f1f4750a63469fe1dd91d5b821575f325
SSDEEP

12288:MkKnLVq69Hrc82yTPZodHtRWztKK7RG1Jz8Ap2x9c8Q04fz/sGoisDsCVVLuSjFs:AQy6ONsqLumFHnHzFTrS

Score

10^/10

Malware Config

Targets

- Target
  
  d9e3c8350875e4f0e74d207351f5db02cfb0e5edd0b62743c38343e38e981727
- Size
  
  622KB
- MD5
  
  9aae07beb10162a2d525dd3aad707e26
- SHA1
  
  387c1cd54061a21941b366d15700c462c5cd2e96
- SHA256
  
  d9e3c8350875e4f0e74d207351f5db02cfb0e5edd0b62743c38343e38e981727
- SHA512
  
  f31c57173a48db8620dd952bc0180aa6557a0a656e0df6168b5c62eae39fa90547ef350fde10b747bc2c4996c6e22f7f1f4750a63469fe1dd91d5b821575f325
- SSDEEP
  
  12288:MkKnLVq69Hrc82yTPZodHtRWztKK7RG1Jz8Ap2x9c8Q04fz/sGoisDsCVVLuSjFs:AQy6ONsqLumFHnHzFTrS
Score

10^/10

azorult guloader collection discovery downloader infostealer spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Deletes itself
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  17ed1c86bd67e78ade4712be48a7d2bd
- SHA1
  
  1cc9fe86d6d6030b4dae45ecddce5907991c01a0
- SHA256
  
  bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
- SHA512
  
  0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
- SSDEEP
  
  192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
Score

3^/10
behavioral3 behavioral4
- Target
  
  Curledness/Hovedplanerne/Syndactyl/Engross/keywords.txt
- Size
  
  1010B
- MD5
  
  4d3c8d141484bbb0b8be03c13894ec9f
- SHA1
  
  1fbb29a4d6a1f48745e6d67bfa110306bc54c6ba
- SHA256
  
  c74e743057bfb38a767f3666df1d16587e2e529a070d1621be0e737366011471
- SHA512
  
  e4b9dd5c3585c24301ac71d7849616d680b25d2b340192c31c3de38a9546564cb30aa1b08bdbcba9e3b87303cd5f3bdb93e37c399bc9d056a68b9bbc7a0a3329
Score

1^/10
behavioral5 behavioral6
- Target
  
  Curledness/Hovedplanerne/Syndactyl/Engross/vtablog.dll
- Size
  
  268KB
- MD5
  
  35119e61479373ba5d7433f106556e79
- SHA1
  
  096a7d227eb2514d76ec5d10bfd1cf165d4a9177
- SHA256
  
  f21d9de02c67e51bb9f7163f676f2d4710b2befae04fd0751a63cf1278c48a3c
- SHA512
  
  21318d0924393c8269419df5acc0c07ca2f754fd9d9ad80d393cf7ebec1b16986d123f2775ae210383b7faa106ed84e829c949004a123da844c07f2b46387453
- SSDEEP
  
  3072:s1vaCg+eY9yp71driAAYBnk/+eeaQyJen3n83fucakiD88iryUBw:ovDgZYq/rzfNufuceD5UBw
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Guloader,Cloudeye

Deletes itself

Loads dropped DLL

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8