azorult

General

Target

RNSM00419.7z
Size

33.1MB
Sample

241028-ts2a9s1mcy
MD5

9bf438de70013d4804f61a9b9dd6ad8f
SHA1

2ce54f24cae92678bd99a158ceb6430a316de443
SHA256

6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2
SHA512

86f0aae8098779eb545ddcc49313941882512a438d9934e5d73323e2a466ebacb945f1cd2f862ca6390f10305cdd7f4a12002535a90a8e31d7622fa95e9df4b8
SSDEEP

786432:6AGOp6uRN1MS3UBfnmdb5t+PFT261B/p0be3Q/qEvWI:/pHtVsnoaFqEhceEvWI

Malware Config

Extracted

Family

azorult

C2

http://mrpeash.zzz.com.ua/1208ve671098xeu281nt2vg129xy12hv0e812/index.php

Extracted

Path

C:\PerfLogs\DECRYPT-FILES.txt

Family

maze

Ransom Note

Attention! ---------------------------- | What happened? ---------------------------- We hacked your network and now all your files, documents, photos, databases, and other important data are safely encrypted with reliable algorithms. You cannot access the files right now. But do not worry. You can get it back! It is easy to recover in a few steps. We have also downloaded a lot of private data from your network, so in case of not contacting us as soon as possible this data will be released. If you do not contact us in a 3 days we will post information about your breach on our public news website and after 7 days the whole downloaded info. To see what happens to those who don't contact us, google: * Southwire Maze Ransomware * MDLab Maze Ransomware * City of Pensacola Maze Ransomware After the payment the data will be removed from our disks and decryptor will be given to you, so you can restore all your files. ---------------------------- | How to contact us and get my files back? ---------------------------- The only method to restore your files and be safe from data leakage is to purchase a unique for you private key which is securely stored on our servers. To contact us and purchase the key you have to visit our website in a hidden TOR network. There are general 2 ways to reach us: 1) [Recommended] Using hidden TOR network. a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR Browser. c) Open the TOR Browser. d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/6bed0caaee9109ca e) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://mazedecrypt.top/6bed0caaee9109ca b) Follow the instructions on this page. Warning: the second (2) method can be blocked in some countries. That is why the first (1) method is recommended to use. On this page, you will see instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ---------------------------- | What about guarantees? ---------------------------- We understand your stress and worry. So you have a FREE opportunity to test a service by instantly decrypting for free three files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat! P.S. Dear system administrators, do not think you can handle it by yourself. Inform leadership as soon as possible. By hiding the fact of the breach you will be eventually fired and sometimes even sued. ------------------------------------------------------------------------------- THIS IS A SPECIAL BLOCK WITH A PERSONAL AND CONFIDENTIAL INFORMATION! DO NOT TOUCH IT WE NEED IT TO IDENTIFY AND AUTHORIZE YOU ---BEGIN MAZE KEY--- JthXCYXD4iYlwtxNIt1zWmTjKieYmnZXpx1qw/2P4qZO9EQqh0DPcxDXvfr8b51MYomcJfwLHAJO/XlJ7AbIlk6DHdvQlBBdrR0hUJ2Tp0s20c5mbMafMagD/jNZVxKIByGDeGWPfPPU/ou49HpxaQarHBon0f4K72s3/10+bOTRI0LDi21s9dfSxRTk4xdxVSRBKe+NI9B222KtemhRqEYXTrxOYenGx1A0Jv2PKWSH0Y+wihYKnkO7yqnxK2mjTzq7Hzi0BN6jfcCdG5YtmawClDYvR9roy7OZoDOUZ7EYQ2I3lOBC2cVjYGv+QYFbRW2/WW1o3NQ/roeUMt58PIvU5O/1Id1Xlf4BFcQzaLSFUJ9rEwDKuDipH4KU+JOmfoEqpnYvxtlCBDMmCVQPsNra9jb9l3O5pSRo0HQl3dWPyIe316NmwvoJXkHZStcfxkPuOLRHMa8aE9YVjqxD4nRVuiDANxrR49Dq6p4erBxFzaWlzLpAIDgWHXE193jwVEA3xYsiIrvFZbS55obeNyiOdgszdiO5MQmy95iEd++j9XIlopHri45zibLdjo8By/nuZnqCRlGvF2gZxUTah0l0EiPLIX2v0G1sQoUqrAp7tAZe1Uo1FPsOsmSxpuJdVemWCI6HgVhAojn5uzfv95xuJgy7fb70MDCPcm0fAMjDO5ctONyP/94DDLVHDqexYUCIvODJVb8qaA7Y+z9avyG3WGW0bx/lNxJWKcjHvrcrJjrWghTIDO9QWSwVQUzbqjBGPdhd+9DEfzihjQIzJajJIoxWqKakpiAsnQ0heNvhG/AhZZMz3FbU7FReCGwWRgwXidCPRStxg89BKpZyfBB/GxaVwnq+77YjF2EugPDe5FUaOABjybL+HfIAciPa7AKH4TilSwJ431dqJN+GRyRy3cKLdA2Cmrg2htzSE7RNa8I1qs5LvvXHzGzHLI461sIehyKIITAwHIkmUtlAZFl+8dpo3F8iXBzswXdNnFbTrD+JtiL95OTLQnrGHZ9Tr45TY56HzMX/e4aU2XYacp5MEd1jaxTR/veTuCHegokpgLIXvOvYEy2sJ+T+QL6KVTNg62XFhd2aerSVX3Za7gIweMDaYk8/Ot4GrGLm1geK9N6JMNVUzhpkopTztyOtcyez7frVt7Ur9UaENbFCfyFcyrji2rd19qqNnlDliIgPmDgn+4r3NyDzsT1tyQw5k+Sfks5O97yAVSBu5xtXZxm3Il3spuZGG2fCj2cbVNewdtGBpO2TVyWzJdvVy2g0v3PhKbbBPlUmbIuB/MPmAzsNcdWDcSVX1TnqIgNmxwxazkQmOM3a+MSIhkNrX40nbz5ES2LsLdBD0tYdvz7b+q4Vn4GzYAzokurQ4QWf0IzVAVm7G9B8m0uCkDXeEPM6w3V6PpA7Ij4ZguGN8HasybJ3fSvtpca/fR78RKSlmExQLbo2AN51v4EWBddkMP7hWn2lzvdrvP26wtoPobpgWTpKPNQLr1T1r2vQTCVe7++Yzk1G0cz60+U7G8blqrBbv87N61ybh1XyvqVFS7mZ9fSoASkWmUFsuyqpSiQrHwVVZvTIAm/icuxp9HKT75wz9CpERxI6ugn5qVc3X05X13Nox9klwFPmir8TSrYHcBkCrQuECLbYoGy0K//B5N44tuQES/2K2xqOMssNkA91Pzhn34nU24f9E3szLCFtVP4Jm4p1Rc+kfkd31RiUcr/5OJ/fWK+oniLByPAilMuAdSQmFMj+bmP/X9qCW56L/TbK1pryS6GdCylj/5k9ZH3SKoArJgosttjb7ugaoVENlsgVkRZurADw9k2WRWBEVpK0QvGYxv9TcVJ3BCGfgxg8dJDJlC5ktHh26jKSVXv8Vi3NmXt4cM+Q+TtyCpuEGSdCozYjFpU1r6xanMpSdp6OcLe2qG4pfHoTLsZBVxoQ2K9y9yr7mMuJOY5HKZfVTQDxDdN0CzwoFL39BbqaaCcN/QjtYadb1sLdsdVY9+h8q9kPvwse3fMCcUGWtOkLxOVVQoGlt0bLkZ5xOYeCYm7OKLfeYsPmvQI5gE7nLJ1Qt7338JabERu51Ah2Ey0YT3QkUsKvAG0r0nKu3MtSguEadZtuz9UhkDOAv+3K96DeaC61UHyCjh+XTsm/04GFYJDWwhLpMPFI20GbOrlCAsbrix6Hv8egwkFZXjWfhIOczT82XPfk/NV+nxm2ktDEb+luCmm6MZ+HuW0u7K834NoflCnWYAoiNgBiAGUAZAAwAGMAYQBhAGUAZQA5ADEAMAA5AGMAYQAAABCAYBoMQQBkAG0AaQBuAAAAIiZXAE8AUgBLAEcAUgBPAFUAUABcAEcAVQBNAEwATgBMAEYARQAAACoMbgBvAG4AZQB8AAAAMixXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAAADoofABkAGUAcAByAGUAYwBhAHQAZQBkACAAPgAgAHYAMgAuADMAfAAAAEJWfABDAF8ARgBfADIAMAAzADEAMgAvADIANAAxADMANgAxAHwARABfAFUAXwAwAC8AMAB8AEYAXwBGAF8AMgAwADQAMgAxAC8AMgAwADQANwA5AHwAAABIAFBAWIkIYIkIaIkIcPa04nJ4CoABAYoBBTIuMy4x ---END MAZE KEY---

URLs

http://aoacugmutagkwctu.onion/6bed0caaee9109ca

https://mazedecrypt.top/6bed0caaee9109ca

Targets

- Target
  
  RNSM00419.7z
- Size
  
  33.1MB
- MD5
  
  9bf438de70013d4804f61a9b9dd6ad8f
- SHA1
  
  2ce54f24cae92678bd99a158ceb6430a316de443
- SHA256
  
  6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2
- SHA512
  
  86f0aae8098779eb545ddcc49313941882512a438d9934e5d73323e2a466ebacb945f1cd2f862ca6390f10305cdd7f4a12002535a90a8e31d7622fa95e9df4b8
- SSDEEP
  
  786432:6AGOp6uRN1MS3UBfnmdb5t+PFT261B/p0be3Q/qEvWI:/pHtVsnoaFqEhceEvWI
Score

10^/10

azorult emotet maze modiloader vanillarat banker credential_access defense_evasion discovery evasion execution impact infostealer persistence ransomware rat spyware stealer trojan upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Maze
  Ransomware family also known as ChaCha.
  trojan ransomware maze
- Maze family
  maze
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modiloader family
  modiloader
- VanillaRat
  VanillaRat is an advanced remote administration tool coded in C#.
  rat vanillarat
- Vanillarat family
  vanillarat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- ModiLoader Second Stage
- Renames multiple (270) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Vanilla Rat payload
  rat
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1