Analysis
-
max time kernel
140s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 11:15
Behavioral task
behavioral1
Sample
57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
Resource
win10v2004-20240508-en
General
-
Target
57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
-
Size
112KB
-
MD5
6de5b2a3dfcfca470ff68039ad159e38
-
SHA1
d3ff0382059f13b8d5842209e67fcc50e0c0b7ae
-
SHA256
57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc
-
SHA512
3c20f047899428b88cb322a78beeceb57b646f405100352b6938ee4d5928c7b1ef24d88c9a25f190abd0bb4551624369264966ad5f76a0cecee335579039ba98
-
SSDEEP
3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEYnE/Pxg/:Zzx7ZApszolIo7lf/ipT/P
Malware Config
Extracted
azorult
http://boec.ubksg.ru/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2660 2548 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2660 2548 57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe 28 PID 2548 wrote to memory of 2660 2548 57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe 28 PID 2548 wrote to memory of 2660 2548 57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe 28 PID 2548 wrote to memory of 2660 2548 57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe"C:\Users\Admin\AppData\Local\Temp\57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 8722⤵
- Program crash
PID:2660
-
Network
-
Remote address:8.8.8.8:53Requestboec.ubksg.ruIN AResponseboec.ubksg.ruIN A172.67.210.108boec.ubksg.ruIN A104.21.42.219
-
POSThttp://boec.ubksg.ru/index.php57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exeRemote address:172.67.210.108:80RequestPOST /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: boec.ubksg.ru
Content-Length: 101
Cache-Control: no-cache
ResponseHTTP/1.1 301 Moved Permanently
Content-Type: text/html
Content-Length: 167
Connection: close
Cache-Control: max-age=3600
Expires: Fri, 24 May 2024 12:15:43 GMT
Location: https://boec.ubksg.ru/index.php
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V42Yvr7XdKmu2wBsG8NYzj3RUwAx8UvYYRNgh0IGmosw0W3%2FQxTiGVDY7AzomTtDQCCkl%2FM1Xwpcp6lRhFLvgenmJS80A%2BAT8SR663T7Y9%2BUgbzziGo4JxX7tGqign30"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 888cde964eb40696-LHR
alt-svc: h3=":443"; ma=86400
-
GEThttps://boec.ubksg.ru/index.php57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exeRemote address:172.67.210.108:443RequestGET /index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: boec.ubksg.ru
Connection: Keep-Alive
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Content-Length: 15161
Connection: close
Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
Referrer-Policy: same-origin
X-Content-Options: nosniff
X-Frame-Options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: j5Dxy5bb8OQ8eBhaWRnFV7Gilnxl2QWpxboUOkXLawtE/UG9U3lWudVe042TbMrwzq/AHWqzQHXa1iVMHqnuzZf5eEBO+i6NjtjWTMHkVML1jxVoFV+ItPAugNl6HSV+A30J4/enWjSSRGy1ioCdcQ==$ZadTkrV6cvBKhUtSI15VOg==
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=prLkd6MnXce11Tp5dZJfG1thLIKlkXb1oHd1mhX6%2FizP2qcSmDhMMKB8GKBCMqpyhludj7rnsleRHvtIJ8SQPv6PoTqT%2FEDNW%2BOkrBV15v61e7kTVZvsnMs9Mky%2BVo%2B0"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 888cde98bd029559-LHR
alt-svc: h3=":443"; ma=86400
-
172.67.210.108:80http://boec.ubksg.ru/index.phphttp57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe491 B 1.0kB 5 5
HTTP Request
POST http://boec.ubksg.ru/index.phpHTTP Response
301 -
172.67.210.108:443https://boec.ubksg.ru/index.phptls, http57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe1.5kB 24.1kB 21 27
HTTP Request
GET https://boec.ubksg.ru/index.phpHTTP Response
403