azorult | a91099e533b47793b3fcbbb538211b859d1c068acd0d0bc37a16a01da4905f26 | Triage

Submit
Reports

Overview

overview

Static

static

1

RNSM00330.7z

windows7-x64

Sharing

General

Target

RNSM00330.7z
Size

910KB
Sample

241111-1q8e5axelq
MD5

54b42e36ccf7b09f89b13b612c6a22a8
SHA1

82440a7b7934cb920bb9f0f441d1b5057829d0b5
SHA256

a91099e533b47793b3fcbbb538211b859d1c068acd0d0bc37a16a01da4905f26
SHA512

b35e0ab40ab4c3a986e43fadb2bc74f504269a3a920c9cab49dc593663e81595b15b27a50239ce42140a36c14b8da52fe22115324e5fefd08fc01867db158794
SSDEEP

24576:IyJb2v9yNL7H8D/X0mALHr0+qfUyJN1EQJoFdJjSbZF:IyJOCfc50rzqVNRedJ6F

Score

10^/10

azorult discovery infostealer persistence ransomware spyware stealer trojan upx

Static task

static1

Behavioral task

behavioral1

Sample

RNSM00330.7z

Resource

win7-20241023-en

azorult discovery infostealer persistence ransomware spyware stealer trojan upx

windows7-x64

20 signatures

300 seconds

Malware Config

Extracted

Family

azorult

C2

http://admin.svapofit.com/azs/index.php

Targets

- Target
  
  RNSM00330.7z
- Size
  
  910KB
- MD5
  
  54b42e36ccf7b09f89b13b612c6a22a8
- SHA1
  
  82440a7b7934cb920bb9f0f441d1b5057829d0b5
- SHA256
  
  a91099e533b47793b3fcbbb538211b859d1c068acd0d0bc37a16a01da4905f26
- SHA512
  
  b35e0ab40ab4c3a986e43fadb2bc74f504269a3a920c9cab49dc593663e81595b15b27a50239ce42140a36c14b8da52fe22115324e5fefd08fc01867db158794
- SSDEEP
  
  24576:IyJb2v9yNL7H8D/X0mALHr0+qfUyJN1EQJoFdJjSbZF:IyJOCfc50rzqVNRedJ6F
Score

10^/10

azorult discovery infostealer persistence ransomware spyware stealer trojan upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Renames multiple (174) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

azorultdiscoveryinfostealerpersistenceransomwarespywarestealertrojanupx

© 2018-2024

Terms | Privacy