azorult

General

Target

RNSM00385.7z
Size

35.1MB
Sample

241103-1zwspavlhz
MD5

2123f17113a72f395448ec9effbb1918
SHA1

4a356bf5ed0c303a84ef730be14f5a2e2216338e
SHA256

edf445524ed074987ec7007a6f0358bacef2e4db69ac7b7767097c2870535a4b
SHA512

e449603bfa86fc25038c4c7a3218bbdd376504c547d05d30d1568a2a238f8ed283cc22f5c8a23719a8f230695f05248b92e1b16a61812c1189e7345ff22a502f
SSDEEP

786432:g6MdZdIgDQt1MUc+g88bn+BOHccZyNtHbBwdxkqeIHup:FM/igC1Yr42cXN9yxkZIi

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

https://tenntechs.com/apps/index.php

Targets

- Target
  
  RNSM00385.7z
- Size
  
  35.1MB
- MD5
  
  2123f17113a72f395448ec9effbb1918
- SHA1
  
  4a356bf5ed0c303a84ef730be14f5a2e2216338e
- SHA256
  
  edf445524ed074987ec7007a6f0358bacef2e4db69ac7b7767097c2870535a4b
- SHA512
  
  e449603bfa86fc25038c4c7a3218bbdd376504c547d05d30d1568a2a238f8ed283cc22f5c8a23719a8f230695f05248b92e1b16a61812c1189e7345ff22a502f
- SSDEEP
  
  786432:g6MdZdIgDQt1MUc+g88bn+BOHccZyNtHbBwdxkqeIHup:FM/igC1Yr42cXN9yxkZIi
Score

10^/10

azorult locky discovery evasion infostealer persistence ransomware spyware stealer trojan upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Locky
  Ransomware strain released in 2016, with advanced features like anti-analysis.
  ransomware locky
- Locky family
  locky
- Modifies firewall policy service
  evasion
- Modifies visibility of file extensions in Explorer
  evasion
- Modifies visiblity of hidden/system files in Explorer
  evasion
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1