Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5

5a5784318e...6N.exe

windows7-x64

10

5a5784318e...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 13:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe

  • Size

    1.1MB

  • MD5

    4484188cb0697ff50810eda8a0274c40

  • SHA1

    04432824008a4a5a82d259bf9df637cbecaac3f0

  • SHA256

    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096

  • SHA512

    ea0dd1d49755abf04a8fb07b8ab9bd72dc64af8c7858e751a5dd38a14bf249c8c78bbcf97dfdd58f14399ab35d309c87cb6c1272b920c61781df5e577e81b361

  • SSDEEP

    24576:MAHnh+eWsN3skA4RV1Hom2KXMmHa0cH6Ww/aRf+j5k:rh+ZkldoPK8Ya022k

Score
10/10
azorultdiscoveryinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://parcelinn.com/wp-content/images/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Azorult family
    azorult
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    "C:\Users\Admin\AppData\Local\Temp\5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Users\Admin\AppData\Local\Temp\5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
      "C:\Users\Admin\AppData\Local\Temp\5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3632

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    parcelinn.com
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    Remote address:
    8.8.8.8:53
    Request
    parcelinn.com
    IN A
    Response
    parcelinn.com
    IN A
    78.135.65.4
  • flag-tr
    POST
    http://parcelinn.com/wp-content/images/index.php
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    Remote address:
    78.135.65.4:80
    Request
    POST /wp-content/images/index.php HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Host: parcelinn.com
    Content-Length: 105
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Connection: Keep-Alive
    Keep-Alive: timeout=5, max=100
    content-type: text/html; charset=UTF-8
    content-length: 0
    date: Sat, 25 Jan 2025 13:01:33 GMT
    server: LiteSpeed
  • flag-us
    DNS
    parcelinn.com
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    Remote address:
    8.8.8.8:53
    Request
    parcelinn.com
    IN A
    Response
    parcelinn.com
    IN A
    78.135.65.4
  • flag-tr
    POST
    http://parcelinn.com/wp-content/images/index.php
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    Remote address:
    78.135.65.4:80
    Request
    POST /wp-content/images/index.php HTTP/1.0
    Host: parcelinn.com
    Connection: close
    User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)
    Content-Length: 105
    Response
    HTTP/1.0 200 OK
    Connection: close
    content-type: text/html; charset=UTF-8
    content-length: 0
    date: Sat, 25 Jan 2025 13:01:33 GMT
    server: LiteSpeed
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.65.135.78.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.65.135.78.in-addr.arpa
    IN PTR
    Response
    4.65.135.78.in-addr.arpa
    IN PTR
    rcp03hostingshcomtr
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.190.18.2.in-addr.arpa
    IN PTR
    Response
    167.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    134.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 78.135.65.4:80
    http://parcelinn.com/wp-content/images/index.php
    http
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    513 B
     322 B
     5
    3

    HTTP Request

    POST http://parcelinn.com/wp-content/images/index.php

    HTTP Response

    200
  • 78.135.65.4:80
    http://parcelinn.com/wp-content/images/index.php
    http
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    507 B
     365 B
     5
    5

    HTTP Request

    POST http://parcelinn.com/wp-content/images/index.php

    HTTP Response

    200
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    parcelinn.com
    dns
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    59 B
     75 B
     1
    1

    DNS Request

    parcelinn.com

    DNS Response

    78.135.65.4

  • 8.8.8.8:53
    parcelinn.com
    dns
    5a5784318e195205f17fe5fe4f4bc91f1673080426ec07fe1d2a963dab746096N.exe
    59 B
     75 B
     1
    1

    DNS Request

    parcelinn.com

    DNS Response

    78.135.65.4

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    4.65.135.78.in-addr.arpa
    dns
    70 B
     107 B
     1
    1

    DNS Request

    4.65.135.78.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    73.31.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    73.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    167.190.18.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    167.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    134.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    134.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2772-0-0x00000000036C0000-0x00000000036C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3632-3-0x0000000000810000-0x0000000000830000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3632-9-0x0000000000810000-0x0000000000830000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.