Overview

overview

10

Static

static

1

AWB-002024563.XLS.lnk

windows7-x64

8

AWB-002024563.XLS.lnk

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AWB-002024563.XLS.lnk

  • Size

    1KB

  • Sample

    241015-hzyceavhjn

  • MD5

    24b35581ca3b4d40271e57c85e296acb

  • SHA1

    06772cefa2064960b2db126373dc65cb39aca466

  • SHA256

    9b2a9d2d3db782a88b2db346864bb53ab0e08b02463555f9cd394327d1d41414

  • SHA512

    4d828fe1d9bed99f9616f84cce7893ea69923f07dd75a3da8e1e5b2bb840ddaa642aa8187721d0a198c1700413df4c79387419c7376a8d704e7bfb644d18c1da

Score
10/10
azorultdiscoveryexecutioninfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://h8m5b.shop/ML341/index.php

Targets

    • Target

      AWB-002024563.XLS.lnk

    • Size

      1KB

    • MD5

      24b35581ca3b4d40271e57c85e296acb

    • SHA1

      06772cefa2064960b2db126373dc65cb39aca466

    • SHA256

      9b2a9d2d3db782a88b2db346864bb53ab0e08b02463555f9cd394327d1d41414

    • SHA512

      4d828fe1d9bed99f9616f84cce7893ea69923f07dd75a3da8e1e5b2bb840ddaa642aa8187721d0a198c1700413df4c79387419c7376a8d704e7bfb644d18c1da

    Score
    10/10
    executionazorultdiscoveryinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks