Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 11:15

General

  • Target

    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe

  • Size

    112KB

  • MD5

    6de5b2a3dfcfca470ff68039ad159e38

  • SHA1

    d3ff0382059f13b8d5842209e67fcc50e0c0b7ae

  • SHA256

    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc

  • SHA512

    3c20f047899428b88cb322a78beeceb57b646f405100352b6938ee4d5928c7b1ef24d88c9a25f190abd0bb4551624369264966ad5f76a0cecee335579039ba98

  • SSDEEP

    3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEYnE/Pxg/:Zzx7ZApszolIo7lf/ipT/P

Malware Config

Extracted

Family

azorult

C2

http://boec.ubksg.ru/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
    "C:\Users\Admin\AppData\Local\Temp\57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 872
      2⤵
      • Program crash
      PID:2660

Network

  • flag-us
    DNS
    boec.ubksg.ru
    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
    Remote address:
    8.8.8.8:53
    Request
    boec.ubksg.ru
    IN A
    Response
    boec.ubksg.ru
    IN A
    172.67.210.108
    boec.ubksg.ru
    IN A
    104.21.42.219
  • flag-us
    POST
    http://boec.ubksg.ru/index.php
    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
    Remote address:
    172.67.210.108:80
    Request
    POST /index.php HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: boec.ubksg.ru
    Content-Length: 101
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Fri, 24 May 2024 11:15:43 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: close
    Cache-Control: max-age=3600
    Expires: Fri, 24 May 2024 12:15:43 GMT
    Location: https://boec.ubksg.ru/index.php
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V42Yvr7XdKmu2wBsG8NYzj3RUwAx8UvYYRNgh0IGmosw0W3%2FQxTiGVDY7AzomTtDQCCkl%2FM1Xwpcp6lRhFLvgenmJS80A%2BAT8SR663T7Y9%2BUgbzziGo4JxX7tGqign30"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 888cde964eb40696-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    GET
    https://boec.ubksg.ru/index.php
    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
    Remote address:
    172.67.210.108:443
    Request
    GET /index.php HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: boec.ubksg.ru
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Fri, 24 May 2024 11:15:44 GMT
    Content-Type: text/html; charset=UTF-8
    Content-Length: 15161
    Connection: close
    Accept-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Critical-CH: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
    Cross-Origin-Embedder-Policy: require-corp
    Cross-Origin-Opener-Policy: same-origin
    Cross-Origin-Resource-Policy: same-origin
    Origin-Agent-Cluster: ?1
    Permissions-Policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
    Referrer-Policy: same-origin
    X-Content-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    cf-mitigated: challenge
    cf-chl-out: j5Dxy5bb8OQ8eBhaWRnFV7Gilnxl2QWpxboUOkXLawtE/UG9U3lWudVe042TbMrwzq/AHWqzQHXa1iVMHqnuzZf5eEBO+i6NjtjWTMHkVML1jxVoFV+ItPAugNl6HSV+A30J4/enWjSSRGy1ioCdcQ==$ZadTkrV6cvBKhUtSI15VOg==
    Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Expires: Thu, 01 Jan 1970 00:00:01 GMT
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=prLkd6MnXce11Tp5dZJfG1thLIKlkXb1oHd1mhX6%2FizP2qcSmDhMMKB8GKBCMqpyhludj7rnsleRHvtIJ8SQPv6PoTqT%2FEDNW%2BOkrBV15v61e7kTVZvsnMs9Mky%2BVo%2B0"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 888cde98bd029559-LHR
    alt-svc: h3=":443"; ma=86400
  • 172.67.210.108:80
    http://boec.ubksg.ru/index.php
    http
    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
    491 B
    1.0kB
    5
    5

    HTTP Request

    POST http://boec.ubksg.ru/index.php

    HTTP Response

    301
  • 172.67.210.108:443
    https://boec.ubksg.ru/index.php
    tls, http
    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
    1.5kB
    24.1kB
    21
    27

    HTTP Request

    GET https://boec.ubksg.ru/index.php

    HTTP Response

    403
  • 8.8.8.8:53
    boec.ubksg.ru
    dns
    57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
    59 B
    91 B
    1
    1

    DNS Request

    boec.ubksg.ru

    DNS Response

    172.67.210.108
    104.21.42.219

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2548-15-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.