General

  • Target

    Dekont#400577_89008_96634.exe

  • Size

    641KB

  • Sample

    241104-nsaweszdjk

  • MD5

    1d14f171fd8a6a070150c81abed8b966

  • SHA1

    605071e065fd88525285c736dcc5f8461a60195c

  • SHA256

    ffb9748a0ed7684161780e27a733f2ab11071515cc27905767813a32c8c308ff

  • SHA512

    a337e284c26b730b72859c509decbc7d8733efd2729ae5d280558a504c6837e2546eb037edfad7b0f00c0b1c1cdd8e42728fc5e33dbb9f2a01315cbc47ab5182

  • SSDEEP

    12288:cT02SzNhc9bP9qhlkT+8dLb1c09/p6X9uruAK5Gi:cTbSzNy9bP9Elo1O0Fp6NBAWGi

Malware Config

Extracted

Family

azorult

C2

http://89.40.31.232/12/index.php

Targets

    • Target

      Dekont#400577_89008_96634.exe

    • Size

      641KB

    • MD5

      1d14f171fd8a6a070150c81abed8b966

    • SHA1

      605071e065fd88525285c736dcc5f8461a60195c

    • SHA256

      ffb9748a0ed7684161780e27a733f2ab11071515cc27905767813a32c8c308ff

    • SHA512

      a337e284c26b730b72859c509decbc7d8733efd2729ae5d280558a504c6837e2546eb037edfad7b0f00c0b1c1cdd8e42728fc5e33dbb9f2a01315cbc47ab5182

    • SSDEEP

      12288:cT02SzNhc9bP9qhlkT+8dLb1c09/p6X9uruAK5Gi:cTbSzNy9bP9Elo1O0Fp6NBAWGi

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks