azorult

Resubmissions

11-06-2024 09:20

240611-la58ha1hnf 10

11-06-2024 09:18

240611-k9pt5a1hke 10

31-05-2024 08:15

240531-j5p4nach79 10

Sharing

Copy URL

Twitter E-mail

General

Target

Copy0761000025.xlsm
Size

430KB
Sample

240531-j5p4nach79
MD5

d01710a02c214a5f6e0197fd291c0b10
SHA1

3b2ed35df644d1684660543c56370dc8686e1a53
SHA256

b18796fe4a4cf8e20e1a54ec3773c819533cb15a545093d1c6e19ce14efaa93d
SHA512

45abdcf42ec483103948e2882bd8187e98ae44af425bdad5f0b1f17b99b336e80acc322c419fdab5cbc8f601993359a0e383c14927a286200c70c1044850e9e5
SSDEEP

12288:7fEXQu7SHOCZhSTIS2dGpeWpqivD1YxR25O8UM:7VwarmMSAGMID1R5OtM

Score

10^/10

Malware Config

Targets

- Target
  
  Copy0761000025.xlsm
- Size
  
  430KB
- MD5
  
  d01710a02c214a5f6e0197fd291c0b10
- SHA1
  
  3b2ed35df644d1684660543c56370dc8686e1a53
- SHA256
  
  b18796fe4a4cf8e20e1a54ec3773c819533cb15a545093d1c6e19ce14efaa93d
- SHA512
  
  45abdcf42ec483103948e2882bd8187e98ae44af425bdad5f0b1f17b99b336e80acc322c419fdab5cbc8f601993359a0e383c14927a286200c70c1044850e9e5
- SSDEEP
  
  12288:7fEXQu7SHOCZhSTIS2dGpeWpqivD1YxR25O8UM:7VwarmMSAGMID1R5OtM
Score

10^/10

execution azorult infostealer persistence trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2