azorult

General

Target

HSBC_Payment.exe
Size

622KB
Sample

240925-g9hh9stale
MD5

a1b6b44f97ac8e1efd21bd9fa5abe56d
SHA1

2f56cfe23e6524d8ee0e33772c4c4e5ae2e74885
SHA256

a567fb9318d264cc80e334cef437c32da976282553a292df76899ac7410f4503
SHA512

2ff995bba25e85e11b59f19ef50332bec8e8603af5d95a9d2d6a4ca0b0bafdc8f1654a8dc9580d1b61040c2b064355a7dfd65f51faca2698095d13e8ae780d55
SSDEEP

6144:vYa6vEsNe5YZ0thEQfEkJSgC7M/1RuCt/Po7U8Mq3n39D3nEkxVPaEnIW2KkR4hV:vY+T5LbpJS1M/OlbMgn39DXVfPa62K66

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://l0h5.shop/UO341/index.php

Targets

- Target
  
  HSBC_Payment.exe
- Size
  
  622KB
- MD5
  
  a1b6b44f97ac8e1efd21bd9fa5abe56d
- SHA1
  
  2f56cfe23e6524d8ee0e33772c4c4e5ae2e74885
- SHA256
  
  a567fb9318d264cc80e334cef437c32da976282553a292df76899ac7410f4503
- SHA512
  
  2ff995bba25e85e11b59f19ef50332bec8e8603af5d95a9d2d6a4ca0b0bafdc8f1654a8dc9580d1b61040c2b064355a7dfd65f51faca2698095d13e8ae780d55
- SSDEEP
  
  6144:vYa6vEsNe5YZ0thEQfEkJSgC7M/1RuCt/Po7U8Mq3n39D3nEkxVPaEnIW2KkR4hV:vY+T5LbpJS1M/OlbMgn39DXVfPa62K66
Score

10^/10

discovery azorult guloader collection credential_access downloader infostealer spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  cff85c549d536f651d4fb8387f1976f2
- SHA1
  
  d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
- SHA256
  
  8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
- SHA512
  
  531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
- SSDEEP
  
  192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
Score

3^/10

discovery
behavioral3 behavioral4