azorult

Resubmissions

04-02-2025 00:25

250204-aq1r6sylfx 7

03-02-2025 11:18

03-02-2025 11:18

03-02-2025 11:08

03-02-2025 11:05

03-02-2025 11:01

Sharing

Copy URL

Twitter E-mail

General

Target

OperaGXSetup.exe
Size

3.8MB
Sample

250203-neq1gs1pdj
MD5

5b8cb1947781b81771c8ccce8c2acf9c
SHA1

dac0a7b542a624c851bb182af26ad4540f9b3662
SHA256

26bb11eda4879dfcec579835c2e2a4240bd115415919d9934199be2d442bfc58
SHA512

70ace2d4fd39fa3923cca59f80a085025ad5c5477d873beef61036ee9590ac77a2a670d23cd149691b194e2b20f96661af8dd5d795a61bf9cfe31ff0c65d43c8
SSDEEP

98304:IA5YT8y844FnN4ChLeQEGfleiLdAXmjTjiMI:4T8y/IrBr5f3LU2ml

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Targets

- Target
  
  OperaGXSetup.exe
- Size
  
  3.8MB
- MD5
  
  5b8cb1947781b81771c8ccce8c2acf9c
- SHA1
  
  dac0a7b542a624c851bb182af26ad4540f9b3662
- SHA256
  
  26bb11eda4879dfcec579835c2e2a4240bd115415919d9934199be2d442bfc58
- SHA512
  
  70ace2d4fd39fa3923cca59f80a085025ad5c5477d873beef61036ee9590ac77a2a670d23cd149691b194e2b20f96661af8dd5d795a61bf9cfe31ff0c65d43c8
- SSDEEP
  
  98304:IA5YT8y844FnN4ChLeQEGfleiLdAXmjTjiMI:4T8y/IrBr5f3LU2ml
Score

10^/10

azorult floxif modiloader rms wannacry backdoor defense_evasion discovery execution impact infostealer lateral_movement persistence privilege_escalation ransomware rat spyware stealer trojan upx worm
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Floxif family
  floxif
- Floxif, Floodfix
  Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
  backdoor trojan floxif
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  defense_evasion
- Modiloader family
  modiloader
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- Rms family
  rms
- UAC bypass
  defense_evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Windows security bypass
  defense_evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Detects Floxif payload
  backdoor
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- ModiLoader First Stage
- Remote Service Session Hijacking: RDP Hijacking
  Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
  lateral_movement
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  defense_evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  defense_evasion
- Server Software Component: Terminal Services DLL
  persistence
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  defense_evasion
- Stops running service(s)
  defense_evasion execution
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  defense_evasion trojan
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- Password Policy Discovery
  Attempt to access detailed information about the password policy used within an enterprise network.
  discovery
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1