Overview

overview

10

Static

static

3

3.exe

windows7-x64

8

3.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3.exe

  • Size

    1.0MB

  • Sample

    250122-rnpess1ncj

  • MD5

    b12fcafcafe31d82b9577e460eb964f8

  • SHA1

    58fbad4f11e59247da39a217e2c5dce1673e3f9a

  • SHA256

    c3f967c4659e6e10c8f8ab14d7900f3917ff98111d72e65954ff1c84c853fa30

  • SHA512

    d3def66c6ea0501733b2c5bed2a3e3e4342a5bafe44fd3960ea533dd746e1e70e05966e89069270ad04f86f887032501da85d67efb9600dc44f9d6ef3ef673a4

  • SSDEEP

    24576:y1O73OLeshQvkIvlD6qhMTkHppllemxT18b7Ifzfz:SzCsvOQAHXD/xT18b6Tz

Score
10/10
azorultcollectioncredential_accessdiscoveryexecutioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://dx4n.icu/GH341/index.php

Targets

    • Target

      3.exe

    • Size

      1.0MB

    • MD5

      b12fcafcafe31d82b9577e460eb964f8

    • SHA1

      58fbad4f11e59247da39a217e2c5dce1673e3f9a

    • SHA256

      c3f967c4659e6e10c8f8ab14d7900f3917ff98111d72e65954ff1c84c853fa30

    • SHA512

      d3def66c6ea0501733b2c5bed2a3e3e4342a5bafe44fd3960ea533dd746e1e70e05966e89069270ad04f86f887032501da85d67efb9600dc44f9d6ef3ef673a4

    • SSDEEP

      24576:y1O73OLeshQvkIvlD6qhMTkHppllemxT18b7Ifzfz:SzCsvOQAHXD/xT18b6Tz

    Score
    10/10
    discoveryexecutionazorultcollectioncredential_accessinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      14f5984b926208de2aafb55dd9971d4a

    • SHA1

      e5afe0b80568135d3e259c73f93947d758a7b980

    • SHA256

      030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

    • SHA512

      e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

    • SSDEEP

      96:k7GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgNJ38:Wygp3FcHi0xhYMR8dMqJVgN

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks