General
-
Target
d5706baea9d905339c82e789f00c0b90_NeikiAnalytics
-
Size
2.0MB
-
Sample
240515-rcp7ysch94
-
MD5
d5706baea9d905339c82e789f00c0b90
-
SHA1
7d40731353d59800b0fa48ab3d912feb1d0886e3
-
SHA256
ff49bebcd93275da89ebba8c5a9aa10644dc24502f64ab858a7c71816cdec3dc
-
SHA512
695c1bef7007e2f9d360ad89dd2098cc51695b66f511fc670898a33b31737ac89e7e9e45ac53c939b53d8947975af1c5171279714c8862dcb62612b869f91d6e
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYH:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Y1
Behavioral task
behavioral1
Sample
d5706baea9d905339c82e789f00c0b90_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d5706baea9d905339c82e789f00c0b90_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
quasar
1.3.0.0
EbayProfiles
5.8.88.191:443
sockartek.icu:443
QSR_MUTEX_0kBRNrRz5TDLEQouI0
-
encryption_key
MWhG6wsClMX8aJM2CVXT
-
install_name
winsock.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
win defender run
-
subdirectory
SubDir
Extracted
azorult
http://0x21.in:8000/_az/
Targets
-
-
Target
d5706baea9d905339c82e789f00c0b90_NeikiAnalytics
-
Size
2.0MB
-
MD5
d5706baea9d905339c82e789f00c0b90
-
SHA1
7d40731353d59800b0fa48ab3d912feb1d0886e3
-
SHA256
ff49bebcd93275da89ebba8c5a9aa10644dc24502f64ab858a7c71816cdec3dc
-
SHA512
695c1bef7007e2f9d360ad89dd2098cc51695b66f511fc670898a33b31737ac89e7e9e45ac53c939b53d8947975af1c5171279714c8862dcb62612b869f91d6e
-
SSDEEP
24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYH:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Y1
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Quasar payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-