Overview

overview

10

Static

static

1

Order-6372...ce.bat

windows7-x64

8

Order-6372...ce.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    03102024_0947_ft6o99.rar

  • Size

    257B

  • Sample

    241003-lws53awfrl

  • MD5

    c5b640f6226386f6a684264914e3ef2b

  • SHA1

    0baaa36774d2b11e37aff59847f2614835d18862

  • SHA256

    2313634b41b6a6616525373b3eefb4d4f4453374ea407372cf9fd39a786b70f3

  • SHA512

    dbd86416e491f068484bf95c872fba9c40d52bf4709c4bcfd2426d7aac6fdc9f5dee43ac1536243970204d21be668fc900a7e131c83c3c43bb76472fb20a681b

Score
10/10
azorultcollectioncredential_accessdiscoveryexecutioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://h8m5b.shop/ML341/index.php

Targets

    • Target

      Order-63729_Reference.bat

    • Size

      208B

    • MD5

      1959937c119d4b66dd48d8067850f50d

    • SHA1

      83c9104b1aa305fe13d1321cda6a2cabbb9241fc

    • SHA256

      e512ec36ea716c5a62c1a24fb8b794c4e6a0db4c5c7ed1d16025400428622cc2

    • SHA512

      a9b2230f6b2e0a59a2b8b8697e7beb6379a65cc0831108d6e342970e8a1fb6e4e307080053035e26f28fa62d2b1c8ccbc7927c2cf2c7e6523238d0dcf9f6b956

    Score
    10/10
    executionazorultcollectioncredential_accessdiscoveryinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks