General

  • Target

    COD 09256214_Τετάρτη, Αυγούστου 2024_765124.PDF.gz

  • Size

    533KB

  • Sample

    240906-p5s37sxhph

  • MD5

    61e488a7dca5e373cec43f8ff126428c

  • SHA1

    1bb2b75b211f0e2f67517876d76c3f0bf3457b70

  • SHA256

    a5c710cd7d220f75e78f08ca89a3017ae08ad6761d57473e4a9f55df02c47d58

  • SHA512

    de31b4df674af79e7936f3cfefc3c83148305d3f6c9479b35b2e3816433a5f8f2447799a0ce65543067b87c6a7aa967426e10008f01037da395e9d04aaca74de

  • SSDEEP

    12288:Y+1ZjOerHe8PdVIFrEfpytqRiVhmW/At0xIqxOWyec7bYwtS4TcZ7T+a:Y+rKerHBSafuq7eAeIqIDl1tSFd/

Malware Config

Extracted

Family

azorult

C2

http://l0h5.shop/CM341/index.php

Targets

    • Target

      COD 09256214__et__t_, _____st__ 2024_765124.PDF.exe

    • Size

      629KB

    • MD5

      f34d46989b27c8a7c40d395b0afd9c86

    • SHA1

      e4a7ec238d8435b094c5a38a601e133da646b4fb

    • SHA256

      0876a062221ba67194143bb2b1fc83d87b22860cf5e8cff64239b4b9dc251d11

    • SHA512

      ed53d43fdc9f1d075d94de4e79bf8631655c30a5571d5e6e3971a3a5a3a14ddaff16361df4824ad342d2375e195a0a3c8c5b6b303ee10e244a3c6d2626a5c826

    • SSDEEP

      12288:6ZZIH53gbcNk10Fu8ndvsFTEf5yFqfKLRm2/gx0xI4BOiOycDbmmpS45cZbtTkR:dHKbcNk10FBEGfWqp+gqI441FJpSBXG

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks