azorult | 1bd9b385e09c5918fd9ff7a15b4c5b874649c0e76f789448e742558723abfafc | Triage

Submit
Reports

Overview

overview

Static

static

815df3ce8f...0N.exe

windows10-2004-x64

Sharing

General

Target

240902-lmnh8aybpa_pw_infected.zip
Size

1.0MB
Sample

240912-m9l5cashmr
MD5

e79f66773e0e9d8a7e2470c0c817c805
SHA1

c06b9804c476e3d0108ca76c99e2af80bc8e667a
SHA256

1bd9b385e09c5918fd9ff7a15b4c5b874649c0e76f789448e742558723abfafc
SHA512

dcedb7f0b3f4f9aaea38559a29c9181f3ed2b84596712ab0057e748790cf4cc3298ec0d486b1f59f04141fa403b080cabb6006d21b7df3d5deecfd38c4cb412f
SSDEEP

24576:Ua6JFjsO2M2G5BFRmtAnYexFFWy3ECu85zj6r+3:UB5pRmtYYe40Jzqk

Score

10^/10

azorult quasar ebayprofiles discovery infostealer spyware trojan

Static task

static1

4 signatures

Behavioral task

behavioral1

Sample

815df3ce8f1ebbbdcf8fd3b5391a2a70N.exe

Resource

win10v2004-20240802-en

azorult quasar ebayprofiles discovery infostealer spyware trojan

windows10-2004-x64

19 signatures

600 seconds

Malware Config

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes

encryption_key
MWhG6wsClMX8aJM2CVXT
install_name
winsock.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win defender run
subdirectory
SubDir

Targets

- Target
  
  815df3ce8f1ebbbdcf8fd3b5391a2a70N.exe
- Size
  
  2.0MB
- MD5
  
  815df3ce8f1ebbbdcf8fd3b5391a2a70
- SHA1
  
  cc19616d3d9ed0dd4ef6bac2fcf5251bec303f67
- SHA256
  
  24ce8da6f76bfa558cff3079df170e78893679ccce334fadaf21d961291b30f0
- SHA512
  
  0aec8172b2b689874b50d5861a11f16cd8dc22116f46a108f1491e14b669bd15f34b1c5cb9ea356a0c1fbfe154ef66050dbf43e74cedc2992e1c3fa3e11b8bc1
- SSDEEP
  
  24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY4:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9Y2
Score

10^/10

azorult quasar ebayprofiles discovery infostealer spyware trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar payload
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

azorultquasarebayprofilesdiscoveryinfostealerspywaretrojan

© 2018-2024

Terms | Privacy