General

  • Target

    2633b28bd403cc1e09bc10f01a23aa9724117ce88d83d72ac8433e8c855612e6.exe

  • Size

    596KB

  • Sample

    240917-bf9srsyfkj

  • MD5

    91405b1b3deb5402675dc7af8266cf7b

  • SHA1

    b14dc9424a48020a4a523250db9cbd1e40621c25

  • SHA256

    2633b28bd403cc1e09bc10f01a23aa9724117ce88d83d72ac8433e8c855612e6

  • SHA512

    d2e5a343cd964834b2df6a94b62e42d88462305bdea34a600fb86d93e00ff3a763210df18b9f9f8157e81314b79af359c7e3974d1e62d34329d7ac5feaae5329

  • SSDEEP

    6144:TZ/qRrSM9JskbekTxUzqbJNT8zmXp45HcIZeJVZ4WiCm5MKQ4ouOO/wCi1pL:TBIJsQeUxUzqDwzCe+IZeJVmQuOCCL

Malware Config

Extracted

Family

azorult

C2

http://vlha.shop/LP341/index.php

Targets

    • Target

      2633b28bd403cc1e09bc10f01a23aa9724117ce88d83d72ac8433e8c855612e6.exe

    • Size

      596KB

    • MD5

      91405b1b3deb5402675dc7af8266cf7b

    • SHA1

      b14dc9424a48020a4a523250db9cbd1e40621c25

    • SHA256

      2633b28bd403cc1e09bc10f01a23aa9724117ce88d83d72ac8433e8c855612e6

    • SHA512

      d2e5a343cd964834b2df6a94b62e42d88462305bdea34a600fb86d93e00ff3a763210df18b9f9f8157e81314b79af359c7e3974d1e62d34329d7ac5feaae5329

    • SSDEEP

      6144:TZ/qRrSM9JskbekTxUzqbJNT8zmXp45HcIZeJVZ4WiCm5MKQ4ouOO/wCi1pL:TBIJsQeUxUzqDwzCe+IZeJVmQuOCCL

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks