Overview

overview

10

Static

static

3

GigaloadPa...5).exe

windows7-x64

10

GigaloadPa...5).exe

windows10-2004-x64

10

GigaloadPa...5).exe

windows10-ltsc 2021-x64

10

GigaloadPa...5).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    37s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GigaloadPayload (12345).exe

  • Size

    3.9MB

  • MD5

    b9406604f5de550f91f2e8afbf7ccb48

  • SHA1

    89668040f222864fe263593c7691320cd6947cc7

  • SHA256

    a358a32d3298e53eb7a94c199985f5170c760f21af0dee7906e9072cd157ed59

  • SHA512

    84b672fdae327620044ed4c4d4ab9f38423f113c96eae29a752331b4f61bddc9cd519c84dd4f0ccc065131ebdc8c87901164bba089bdff6e897573acd1d6d926

  • SSDEEP

    98304:ehyDwycvLyZOaBukBPk76NJ0tsxIDBGRZqGQ0nu0:ehyDwy2QBuKseIWZqKu0

Score
10/10
azorultponycollectioncredential_accessdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://upqx.ru/1210776429.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Pony family
    pony
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GigaloadPayload (12345).exe
    "C:\Users\Admin\AppData\Local\Temp\GigaloadPayload (12345).exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:436
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
        keygen-pj.exe -pAevKviq48c
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3904
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Accesses Microsoft Outlook accounts
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_win_path
          PID:2028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240614546.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe" "
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3496
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
        keygen-step-1.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3252
      • C:\Windows\System32\control.exe
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4804
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4464
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl",
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:5032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\240614546.bat
    Filesize

    94B

    MD5

    3880eeb1c736d853eb13b44898b718ab

    SHA1

    4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

    SHA256

    936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

    SHA512

    3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pj.exe
    Filesize

    363KB

    MD5

    c0f34f38475aa244c9c8696aeed709a5

    SHA1

    0194b56c80c4b5192873400fdc96ce7d8df682a2

    SHA256

    831c985a5c9cc76c7c3de456f2eafeeba65a8930ef5e2aecc69fc7bd739f1046

    SHA512

    15defe7601a9d49325719b746422ddc60492935d3e34db058ed7f726cfeff0b3dac6faf2bcb9113ce14bdf9e8d295bef33931fd23e58c995cc6a4f42fa310ced

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    Filesize

    112KB

    MD5

    43eb47b71c9f1003adc2d0f108d2679c

    SHA1

    5965eb51d289dc79ab56cb995d47f371472d4846

    SHA256

    913ee402508d3b9e7e55e1051f16a358ce78c19b4e07c6f234f4b73602802fa1

    SHA512

    7713cfcf2e1aae2ddc4dab14f4f7f1a4f5a414f87f75a2371fe261edceb9882b935a6044dd0fd1b88fc11cc9b044672fb14a91987806e3afff9df74fd6f5eee0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.cpl
    Filesize

    3.5MB

    MD5

    f79d41dcfd84fd36b9cd7179785d6e80

    SHA1

    2f3b1ee36156f0a443c0ae0628a3229c9068b06f

    SHA256

    0d3056fb280d3ad7ff3e72fd285ecdf6ab1bedab3165386e58f7a76b84d9f275

    SHA512

    b42accfe5dd52f0c0299ff74ea4f85b20335c8fc9f0b80437e69c1f9378bb2259d58ca52fc89cb093d6d3bd43673c8e49dc97872b7025e3164488e162f25ed71

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
    Filesize

    97B

    MD5

    b7da5b5251bfd8f57cbac943155601a9

    SHA1

    133751b2b7a68a92ad1e21417dd4d2b1d44cc2da

    SHA256

    023d11aa3cbc04bc1591c0bb608f35da7c124f8a30c57accaf6be067b889c2ee

    SHA512

    7e71857c603dee06fc7a63a8a0e7cfb7f18d24b676c0a3df45f5b011f638a84faf4bb5d69ebc2c5a998482c4bbad1b726c43aa6e5669d3762f263a56d4e47368

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
    Filesize

    103KB

    MD5

    2fbf80a7ba32f036bb97a2d0d909283c

    SHA1

    ed00a832320f3806ef3ecacfb54356e55b8e713f

    SHA256

    aaa583789b2a7d918ab2654f48b2f401588f43f8b835ea176ea4276c59bed4ee

    SHA512

    a74ec6ffc270d3800f673aa83a76d6dc59857a71791470a4e09653bbfc18ec192b8949566ab15adaf923a3f9b54d568f6de93ad36df70357450d3effb09160ef

    Download Submit

  • memory/3252-25-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download