General

  • Target

    7000091945.xlsx.exe

  • Size

    648KB

  • Sample

    241105-nkejmszfme

  • MD5

    6fbbdc300fa11d35f4caf2d9509cfcaf

  • SHA1

    5bce72cec312e8b0cac43442fc55cead8e0913f3

  • SHA256

    0f61bbeefa04009b69aaeef1ac1e05358708caf8a476675dbb2342b1b38988fc

  • SHA512

    425d40409dd78648fec7bbebecae5df4463b04514efa0bce108964b634dfe5a3aa79c9713760f664e98d8eebc76f2c7efc79862d9e835ba9104214de06ff4b15

  • SSDEEP

    12288:cT02BT4pRkr5guoCqmlxtWeqk79Uaq06p6X9uruAK5Gi:cTbBTmeWuoLmhwQilp6NBAWGi

Malware Config

Extracted

Family

azorult

C2

http://geinf0.icu/TL341/index.php

Targets

    • Target

      7000091945.xlsx.exe

    • Size

      648KB

    • MD5

      6fbbdc300fa11d35f4caf2d9509cfcaf

    • SHA1

      5bce72cec312e8b0cac43442fc55cead8e0913f3

    • SHA256

      0f61bbeefa04009b69aaeef1ac1e05358708caf8a476675dbb2342b1b38988fc

    • SHA512

      425d40409dd78648fec7bbebecae5df4463b04514efa0bce108964b634dfe5a3aa79c9713760f664e98d8eebc76f2c7efc79862d9e835ba9104214de06ff4b15

    • SSDEEP

      12288:cT02BT4pRkr5guoCqmlxtWeqk79Uaq06p6X9uruAK5Gi:cTbBTmeWuoLmhwQilp6NBAWGi

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks