azorult

Target

Malware-1-master.zip
Size

45.4MB
Sample

250117-rk9ass1rhk
MD5

ef37386fefe6fbbf646805a591add083
SHA1

1abfc73d9a379c796036de72e5f7961b4295bf5e
SHA256

2ca4803498d7d375a61bfab2a3a4cf7e0eec41d116e50a838791a55b164e0f8c
SHA512

112cccdada7554db108f3fd469e72fc0568aadbcad33b75a2046018827c5542d5fdcb6b454eb7bb0f58a6ea00e65bcd503a807222e1f21cc9a0f087c89453d3e
SSDEEP

786432:8hXFC0opkN2sA1VYXb1ZfLKvrXpXyNoqpkHuMBWn3GhUclPgJ26GEa5+VX:+FnQCXb1ZzsyXpKdBEGeQP2Vj++p

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

bibl1234.ddns.net:1604

pizdash.ddns.net:1604

Mutex

DC_MUTEX-QKPH38W

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
2PaBrGj3TwxK
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Malware-1-master\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Extracted

Family

azorult

http://216.170.114.4/send/the/index.php

Targets

- Target
  
  Malware-1-master/2530.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  Malware-1-master/2887140.exe
- Size
  
  144KB
- MD5
  
  fead887648bddd70a05cf7a7090411dd
- SHA1
  
  250c0de3dc100d265ae495f045a2c47dad3520e9
- SHA256
  
  dfaf75da62d0561d171217fe893bd818a72ebfccd9d7e7f4c046f5b3ca44794e
- SHA512
  
  e1f15de084a78bf27a1c62b5d0d31fabd10be13983dca05962c40ea1e8b3f7bb617e92f44a78048d3484d16f5d4b9e42bc8c5a4b02fda0e0f5eb69368149920a
- SSDEEP
  
  3072:buY0LMcTrgw6mo4bnGkbUyh/h39iN/Ko8LdKpZbZo:SY0IkImZUyh/h3MOc
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Drops file in System32 directory
behavioral3 behavioral4
- Target
  
  Malware-1-master/32.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Drops file in System32 directory
behavioral5 behavioral6
- Target
  
  Malware-1-master/5.exe
- Size
  
  312KB
- MD5
  
  0b0dc2b2ccd4b46b3381508f7209a582
- SHA1
  
  a67a1619f96914e4e50e4f86f656ebb54021879a
- SHA256
  
  66ae33003289d8c6c3dc7c45c1b01110b4820281061292ac076b1783700a1f2d
- SHA512
  
  0715c2f6e01a923deb8bd5c4c70906942ee46dba6383bbd2edbde53e23a7b5c2ab8063e5f48a973925815f1dec18fe15c362fcf928d4f35d12dcf123f303cc37
- SSDEEP
  
  3072:5ODQa/lz20bbn7yXO/7/rCaZXo3ZU+BfhYJMyTPkDDYvU:+Qahr7DZXSpnSs
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  Malware-1-master/96591.exe
- Size
  
  1.2MB
- MD5
  
  568d17d6da77a46e35c8094a7c414375
- SHA1
  
  500fa749471dad4ae40da6aa33fd6b2a53bcf200
- SHA256
  
  0da56126ffb57acb5bb1a3ffa1c4c0c2605d257988b2d2964344b8f23173f615
- SHA512
  
  7beb044f8bd366350b267c0fedc8466d2c5fd80b0f791f5697ce4577edced36b668401fd48df90b6c4ced05247d990c5e739e7232a2dcfc059dcc0c6a79d9427
- SSDEEP
  
  12288:D+FwW6Se3oB/8WjH2fIGOVoDJLvfOqsUFY:D+qJSgZwEIGOVUJLnOqs+Y
Score

10^/10

emotet banker discovery trojan
- Emotet
  Emotet is a trojan that is primarily spread through spam emails.
  trojan banker emotet
- Emotet family
  emotet
- Drops file in System32 directory
behavioral10 behavioral9
- Target
  
  Malware-1-master/Amadey.exe
- Size
  
  49KB
- MD5
  
  871294e398217876017702c96d0e7854
- SHA1
  
  35a22da1522bf86659576ed59235f8ed7029e79b
- SHA256
  
  7fd898dde3a7ed047657e3dc81c3de50ed381857edc53744664332fd98476c54
- SHA512
  
  047237e3a615839918fe32662524f2de5455734a01cbb2f66017c636f3d08207b3aead79cdff9a94729550ad7eddc2b5950d5e774fb25fba2d0d69e048ca7fe5
- SSDEEP
  
  768:AN4a7os+Bd1CiSJfBFdiGOsSyS5/hhurlzdx:3a2xC5+YSyE/hgpzH
Score

7^/10

defense_evasion discovery
- Executes dropped EXE
- Loads dropped DLL
behavioral11 behavioral12
- Target
  
  Malware-1-master/Download.exe
- Size
  
  247KB
- MD5
  
  6a97f4f16e7879967a5c02d143d0bd46
- SHA1
  
  0898ccf65770813f69bf339462a05a8c6e17be69
- SHA256
  
  de2274da8cf00dfc6e6e52db43f82210a1fb7fd30016ebdc81347fb2d1f248fa
- SHA512
  
  0bc14103518a2e234f4e3f4ddc46e91a1ed21c2885fd4eb27d3cf8cd088e4fa4fffcc221ddb404f52794c57d6693b2ce080e797bf33f2322490030e0fce0ac27
- SSDEEP
  
  3072:ZV3bDzHY2weWeFoyUWfMRBsfpVZynzK4ChhO2IGmXf3Ur3CvZJnodCKJYsUH+Iun:ZBbDzHY0UsfPwUIvOd1
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Malware-1-master/MEMZ-Destructive.bat
- Size
  
  13KB
- MD5
  
  4e2a7f369378a76d1df4d8c448f712af
- SHA1
  
  1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
- SHA256
  
  5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
- SHA512
  
  90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
- SSDEEP
  
  192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3
Score

7^/10

bootkit discovery execution persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral15 behavioral16
- Target
  
  Malware-1-master/MEMZ-Destructive.exe
- Size
  
  14KB
- MD5
  
  19dbec50735b5f2a72d4199c4e184960
- SHA1
  
  6fed7732f7cb6f59743795b2ab154a3676f4c822
- SHA256
  
  a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d
- SHA512
  
  aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d
- SSDEEP
  
  192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj
Score

7^/10

bootkit discovery persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral17 behavioral18
- Target
  
  Malware-1-master/Petya.exe
- Size
  
  225KB
- MD5
  
  af2379cc4d607a45ac44d62135fb7015
- SHA1
  
  39b6d40906c7f7f080e6befa93324dddadcbd9fa
- SHA256
  
  26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
- SHA512
  
  69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99
- SSDEEP
  
  6144:DCyjXhd1mialK+qoNr8PxtZE6x5v+k6f:rjXhd8ZlKOrMZE6x5b6f
Score

6^/10

bootkit persistence
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral19 behavioral20
- Target
  
  Malware-1-master/Software.exe
- Size
  
  1.6MB
- MD5
  
  db056b8fa628b67e11bd626192939d6b
- SHA1
  
  248ca50f39de6b6180265d19fb6eedc68bf25afc
- SHA256
  
  e7f04e85236f0caafe518bd96369313021969077dba1c4a6d42e694498dab04f
- SHA512
  
  bca1856b4bb8342c0f6d5ee19edcb420c70e6b272f087d3f8f73daa00842fa00037840a5eb5655e1445af8d578d304874323b2889f75b27136df9366df596336
- SSDEEP
  
  24576:ytb20pkaCqT5TBWgNQ7ayEYyM63uUOyok0ceJZwd/w9mML9eu4MaMUp46A:/Vg5tQ7ayExZO9k0waPLR4Ma25
Score

10^/10

imminent discovery spyware trojan
- Imminent RAT
  Remote-access trojan based on Imminent Monitor remote admin software.
  trojan spyware imminent
- Imminent family
  imminent
- Drops startup file
- Suspicious use of SetThreadContext
behavioral21 behavioral22
- Target
  
  Malware-1-master/WannaCry.EXE
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral23 behavioral24
- Target
  
  Malware-1-master/eternalblue.exe
- Size
  
  886KB
- MD5
  
  981aaac4782bb076aa737901910f2556
- SHA1
  
  a552a4dac03b584cbb7d461fd48b01ddaa85af5d
- SHA256
  
  7f5f447fe870449a8245e7abc19b9f4071095e02813d5f42c622add56da15b8b
- SHA512
  
  334d096f72d46adc522f21834d116968a7cb5f05dc21c60e094ac4ccff69412a2c108aeb5c54861ac717ebf884c632edd0291a3d832e4ab7dcc7903e7f965934
- SSDEEP
  
  12288:96fny4wDTzvE/XICULcJ48j406qbgg6RaAD9bSoGGHgm3Ihr6k:96fny4wbkHJ4I40vggPWSoGWv3c
Score

3^/10
behavioral25 behavioral26
- Target
  
  Malware-1-master/getr3kt.bat
- Size
  
  13KB
- MD5
  
  4e2a7f369378a76d1df4d8c448f712af
- SHA1
  
  1192b4d01254a8704e6d6ae17dc2ec28a7ad5a49
- SHA256
  
  5e2cd213ff47b7657abd9167c38ffd8b53c13261fe22adddea92b5a2d9e320ad
- SHA512
  
  90e6eedca424e2ee37c78e0c0380db490c049b0378541812734c134510c40c6e4c48c4e213f395339ed99ff337ef087b6056ac5aafb246c1789ca6082dcabd2e
- SSDEEP
  
  192:AOyUySl0UaDz2gWsIzlmj+BxZ3yqueWQx0lZicyC8Sh31xcjBzyxwn7AVhllz3:AVODaDSHMql3yqlxy5L1xcjwrlz3
Score

7^/10

bootkit discovery execution persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral27 behavioral28
- Target
  
  Malware-1-master/iimo3.exe
- Size
  
  1.7MB
- MD5
  
  4f8767983d865a5e706ae3c6aa5ab6c5
- SHA1
  
  535bc0a1cf7140176fd6e6a205f3394d146c2ba3
- SHA256
  
  5ac017285572c24fc8b77324a52ca484e83c3622c61bea80a74a6850f0a16061
- SHA512
  
  a88e5fd993d2fdde869ef32a5271d5bbd222f2174217bf4e2c4cea6fad624d237b3528478b70ab1ec5011bd031fc93319865f5877e06fb3efcc53cc5c7e786a3
- SSDEEP
  
  49152:ZgTJ84RvagaNgNu5W05jvIAo69PnaLgnMu4x:ZgmmygtNfCvjf58
Score

10^/10

discovery evasion trojan
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Identifies Wine through registry keys
  Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral29 behavioral30
- Target
  
  Malware-1-master/jey.exe
- Size
  
  744KB
- MD5
  
  5a38a223e632a4754f6ec51cbe31215a
- SHA1
  
  008cfd9a4345ff5307daa5d2662db2e185fc3014
- SHA256
  
  97cd04af9acddab58cffa58c677d7645f5d894769d76539f44380b9175a67bd4
- SHA512
  
  e42691b8fda725865b1f379ad8fb56e333ab0c588989ae2890c074679fc59f392b475c57dc472998f00b4a3cad7456810e83886f4f7dd57a8492266ea4eeb189
- SSDEEP
  
  12288:Sss9czpqdx1S3DcWayzZPnpdVYke81SmUJqwCW+:uczp4Y3DN5VYkN1ShFCW+
Score

10^/10

azorult discovery infostealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
behavioral31 behavioral32