Malware Analysis Report

2024-10-19 06:57

Sample ID 240826-bqafnaycpl
Target s.exe
SHA256 7a2c5d70d2dd4d8cc557da080f1a7937aa62e48da44b0de6ad3743e100f7e372
Tags
azorult collection credential_access discovery infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a2c5d70d2dd4d8cc557da080f1a7937aa62e48da44b0de6ad3743e100f7e372

Threat Level: Known bad

The file s.exe was found to be: Known bad.

Malicious Activity Summary

azorult collection credential_access discovery infostealer spyware stealer trojan

Azorult family

Azorult

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Loads dropped DLL

Reads local data of messenger clients

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Accesses Microsoft Outlook profiles

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Delays execution with timeout.exe

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-26 01:20

Signatures

Azorult family

azorult

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-26 01:20

Reported

2024-08-26 01:23

Platform

win10-20240404-en

Max time kernel

134s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\s.exe"

Signatures

Azorult

trojan infostealer azorult

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\s.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\s.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\s.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\s.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\s.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\s.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4888 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4888 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\s.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\s.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\s.exe

"C:\Users\Admin\AppData\Local\Temp\s.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "s.exe"

C:\Windows\SysWOW64\timeout.exe

C:\Windows\system32\timeout.exe 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 l0h5.shop udp
US 172.67.180.170:80 l0h5.shop tcp
US 8.8.8.8:53 170.180.67.172.in-addr.arpa udp
US 172.67.180.170:80 l0h5.shop tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

\Users\Admin\AppData\Local\Temp\7B10FDB9\nss3.dll

MD5 556ea09421a0f74d31c4c0a89a70dc23
SHA1 f739ba9b548ee64b13eb434a3130406d23f836e3
SHA256 f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb
SHA512 2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

\Users\Admin\AppData\Local\Temp\7B10FDB9\mozglue.dll

MD5 9e682f1eb98a9d41468fc3e50f907635
SHA1 85e0ceca36f657ddf6547aa0744f0855a27527ee
SHA256 830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d
SHA512 230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

\Users\Admin\AppData\Local\Temp\7B10FDB9\vcruntime140.dll

MD5 7587bf9cb4147022cd5681b015183046
SHA1 f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256 c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA512 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

\Users\Admin\AppData\Local\Temp\7B10FDB9\msvcp140.dll

MD5 109f0f02fd37c84bfc7508d4227d7ed5
SHA1 ef7420141bb15ac334d3964082361a460bfdb975
SHA256 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA512 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

memory/1448-111-0x0000000000400000-0x0000000000420000-memory.dmp