General

  • Target

    No. 1349240400713.exe

  • Size

    654KB

  • Sample

    241104-kbvbysxkbt

  • MD5

    0049a8ce1e4c42cea9b5d2516c64612c

  • SHA1

    f0526a23f7f5de1c0b2200e92fba833edcacbe02

  • SHA256

    d0549673b20a4041c1d1bfbdd841b0b768fefa6057f6a4203d54d0694f270cff

  • SHA512

    b0b3af0312dffad1492c768475713f15f21b7832c0a5e4e64107149ef9b4f950ca56092d0013343869a649f3c0d009a6f24ae628bbc178569911b5ea0e506315

  • SSDEEP

    6144:cT4DtLOuR2uyPG+H+tMN+dOugpzlyUflyWCalNEToCp6lAG9urP2DDUK5Lq75k:cT02VG+4iDlyUoaiXp6X9uruAK5Gi

Malware Config

Extracted

Family

azorult

C2

http://89.40.31.232/12/index.php

Targets

    • Target

      No. 1349240400713.exe

    • Size

      654KB

    • MD5

      0049a8ce1e4c42cea9b5d2516c64612c

    • SHA1

      f0526a23f7f5de1c0b2200e92fba833edcacbe02

    • SHA256

      d0549673b20a4041c1d1bfbdd841b0b768fefa6057f6a4203d54d0694f270cff

    • SHA512

      b0b3af0312dffad1492c768475713f15f21b7832c0a5e4e64107149ef9b4f950ca56092d0013343869a649f3c0d009a6f24ae628bbc178569911b5ea0e506315

    • SSDEEP

      6144:cT4DtLOuR2uyPG+H+tMN+dOugpzlyUflyWCalNEToCp6lAG9urP2DDUK5Lq75k:cT02VG+4iDlyUoaiXp6X9uruAK5Gi

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks