Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 10:04
Behavioral task
behavioral1
Sample
cb1fef1a16b7fc3851b569ffb51e17d9.exe
Resource
win7-20240220-en
General
-
Target
cb1fef1a16b7fc3851b569ffb51e17d9.exe
-
Size
353KB
-
MD5
cb1fef1a16b7fc3851b569ffb51e17d9
-
SHA1
00373b44ad8558dd23832f3aba6b031acbad706e
-
SHA256
bdd500e8d7fadf83d80b3e1e6affbf60af92dff9d0b902b353e6ddad657445da
-
SHA512
0e1650bc41854d87dbef66870e300b52b6bf5fdd66af7753098d3711acea1deae18241cad26b7839bcfbd4a0eccadbec3502b613046cc0a1de3b1b3649d8d016
-
SSDEEP
6144:36wEc0lyFFVFCTkeiNRTD2dWlKItfK6ioAjVQ5qvfJX73aAtxzxCmJ1X3XCjC6:KwEZuFVk4eiHCiKWfooAjGovfND5xzxP
Malware Config
Extracted
azorult
http://203.159.80.118/PL341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2156-0-0x0000000001140000-0x000000000119E000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb1fef1a16b7fc3851b569ffb51e17d9.exedescription pid process target process PID 2156 set thread context of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
cb1fef1a16b7fc3851b569ffb51e17d9.exedescription pid process target process PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe PID 2156 wrote to memory of 2568 2156 cb1fef1a16b7fc3851b569ffb51e17d9.exe cvtres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb1fef1a16b7fc3851b569ffb51e17d9.exe"C:\Users\Admin\AppData\Local\Temp\cb1fef1a16b7fc3851b569ffb51e17d9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2156-0-0x0000000001140000-0x000000000119E000-memory.dmpFilesize
376KB
-
memory/2156-1-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2156-2-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2156-11-0x00000000742D0000-0x00000000749BE000-memory.dmpFilesize
6.9MB
-
memory/2568-6-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-5-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-4-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-7-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2568-9-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-3-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-12-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-13-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-14-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2568-15-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB