Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-03-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
d53c8a9351e8f882d8b79225bba17aa7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d53c8a9351e8f882d8b79225bba17aa7.exe
Resource
win10v2004-20240226-en
General
-
Target
d53c8a9351e8f882d8b79225bba17aa7.exe
-
Size
1.4MB
-
MD5
d53c8a9351e8f882d8b79225bba17aa7
-
SHA1
08bf592cefb4358afa4c0fd1bb77717cfa86030a
-
SHA256
b4d1ee0e59a2113473a47b726eb279d4960b810dbb483507f84b6314185c6dad
-
SHA512
a361ae39ec5a998215f38003dedfa3311f5c49717dad8a4e0358cd8f08045a0c0a236d2a5ba9e9e097cf9f3bcc2227da44edb3369ecbc39a73e0470d0cf03eee
-
SSDEEP
24576:Mu6J33O0c+JY5UZ+XC0kGso6FaaEeMft5so3632E/nw+FheCrjLIuGWY:Wu0c++OCvkGs9FaHe0t6z325CrLY
Malware Config
Extracted
azorult
http://invalid666.zzz.com.ua/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
d53c8a9351e8f882d8b79225bba17aa7.exedescription pid process target process PID 2224 set thread context of 2928 2224 d53c8a9351e8f882d8b79225bba17aa7.exe dllhost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
d53c8a9351e8f882d8b79225bba17aa7.exepid process 2224 d53c8a9351e8f882d8b79225bba17aa7.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
d53c8a9351e8f882d8b79225bba17aa7.exepid process 2224 d53c8a9351e8f882d8b79225bba17aa7.exe 2224 d53c8a9351e8f882d8b79225bba17aa7.exe 2224 d53c8a9351e8f882d8b79225bba17aa7.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
d53c8a9351e8f882d8b79225bba17aa7.exepid process 2224 d53c8a9351e8f882d8b79225bba17aa7.exe 2224 d53c8a9351e8f882d8b79225bba17aa7.exe 2224 d53c8a9351e8f882d8b79225bba17aa7.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
d53c8a9351e8f882d8b79225bba17aa7.exedescription pid process target process PID 2224 wrote to memory of 2928 2224 d53c8a9351e8f882d8b79225bba17aa7.exe dllhost.exe PID 2224 wrote to memory of 2928 2224 d53c8a9351e8f882d8b79225bba17aa7.exe dllhost.exe PID 2224 wrote to memory of 2928 2224 d53c8a9351e8f882d8b79225bba17aa7.exe dllhost.exe PID 2224 wrote to memory of 2928 2224 d53c8a9351e8f882d8b79225bba17aa7.exe dllhost.exe PID 2224 wrote to memory of 2928 2224 d53c8a9351e8f882d8b79225bba17aa7.exe dllhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d53c8a9351e8f882d8b79225bba17aa7.exe"C:\Users\Admin\AppData\Local\Temp\d53c8a9351e8f882d8b79225bba17aa7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2224-0-0x00000000003F0000-0x000000000040D000-memory.dmpFilesize
116KB
-
memory/2224-1-0x0000000000410000-0x000000000042C000-memory.dmpFilesize
112KB
-
memory/2928-2-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2928-4-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2928-5-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2928-6-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB