azorult

General

Target

302829e7f789dbb781d9cf2e2a9035c289bab744061ad600d0435a137e63bb39
Size

504KB
Sample

240930-eswy8asbna
MD5

e7de28addc53209bfffba622932afd82
SHA1

f1a2c3b518720b7b7ee9fba3dfd0761778dc815e
SHA256

302829e7f789dbb781d9cf2e2a9035c289bab744061ad600d0435a137e63bb39
SHA512

af61524eb220b36e6427aa442eaace562be72af4e0465d034c7e2bc431ff07b968397614c02f530a1382a0c512a63401bc31c6afa112259a1dedf350100aeb3a
SSDEEP

12288:y3egGvsBlgxmgTeNaEQc8FPPi9YiOv4wrD2m2FHKnY:yr6sfgxmgTegXc8RamXQWD2uY

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://d4hk.shop/MI341/index.php

Targets

- Target
  
  List of Items Ref_0101283.exe
- Size
  
  532KB
- MD5
  
  861734e77cbfd9b0663419e053b8f100
- SHA1
  
  b7f908d8cf86cc9e20a51d9020d2b6860c8e4433
- SHA256
  
  8c902fc0f78ef5ae8375f02f7b48020972ea2b22fb2eb01398ac2517074ccc52
- SHA512
  
  0467e62b8781748d49ed33595fc15e8ef0ff4a01e62ed111838158f1cfeb3a55007573e8b36e38606d00359038dc1d4ca3fb71ba9816a9e6ab31e53884c67ce1
- SSDEEP
  
  12288:zBbNp7y7wNaoecSRZfiRYiWvCwr5ym2FV:9y7wgBcSDKi9qW5y
Score

10^/10

azorult guloader collection credential_access discovery downloader infostealer spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  ee260c45e97b62a5e42f17460d406068
- SHA1
  
  df35f6300a03c4d3d3bd69752574426296b78695
- SHA256
  
  e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
- SHA512
  
  a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3
- SSDEEP
  
  192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
Score

3^/10

discovery
behavioral3 behavioral4