General
-
Target
RNSM00419.7z
-
Size
33.1MB
-
Sample
241028-ts2a9s1mcy
-
MD5
9bf438de70013d4804f61a9b9dd6ad8f
-
SHA1
2ce54f24cae92678bd99a158ceb6430a316de443
-
SHA256
6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2
-
SHA512
86f0aae8098779eb545ddcc49313941882512a438d9934e5d73323e2a466ebacb945f1cd2f862ca6390f10305cdd7f4a12002535a90a8e31d7622fa95e9df4b8
-
SSDEEP
786432:6AGOp6uRN1MS3UBfnmdb5t+PFT261B/p0be3Q/qEvWI:/pHtVsnoaFqEhceEvWI
Static task
static1
Behavioral task
behavioral1
Sample
RNSM00419.7z
Resource
win10v2004-20241007-en
Malware Config
Extracted
azorult
http://mrpeash.zzz.com.ua/1208ve671098xeu281nt2vg129xy12hv0e812/index.php
Extracted
C:\PerfLogs\DECRYPT-FILES.txt
maze
http://aoacugmutagkwctu.onion/6bed0caaee9109ca
https://mazedecrypt.top/6bed0caaee9109ca
Targets
-
-
Target
RNSM00419.7z
-
Size
33.1MB
-
MD5
9bf438de70013d4804f61a9b9dd6ad8f
-
SHA1
2ce54f24cae92678bd99a158ceb6430a316de443
-
SHA256
6e1b7053e06a8f95dd355f6191cfdf6af835485f94d5b8e2180e9927a2da0dd2
-
SHA512
86f0aae8098779eb545ddcc49313941882512a438d9934e5d73323e2a466ebacb945f1cd2f862ca6390f10305cdd7f4a12002535a90a8e31d7622fa95e9df4b8
-
SSDEEP
786432:6AGOp6uRN1MS3UBfnmdb5t+PFT261B/p0be3Q/qEvWI:/pHtVsnoaFqEhceEvWI
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Emotet family
-
Maze family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence
-
Modiloader family
-
Vanillarat family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
ModiLoader Second Stage
-
Renames multiple (270) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Vanilla Rat payload
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Drops startup file
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Modifies WinLogon
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Defense Evasion
Impair Defenses
1Safe Mode Boot
1Indicator Removal
1File Deletion
1Modify Registry
5Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1