Overview

overview

10

Static

static

3

rCRW51901537.exe

windows7-x64

8

rCRW51901537.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rCRW51901537.exe

  • Size

    903KB

  • Sample

    250203-sdenaatrbv

  • MD5

    5e61c03c8a975e86e792bfa3f671ba64

  • SHA1

    63ce77c1135445358dfae6f106e964546fdc025d

  • SHA256

    ea08fba535ff837c953efbd7e664aa22bec2f4784d2d66e3dea3b357b705d973

  • SHA512

    fe51514c8b8563b6e32a4369fab1d3f5af840768cdad3cd5887fbde5a9e47ac9edec446e2776fa3f998d71977fe8034e1da5069684389f6073ce78d910dedb20

  • SSDEEP

    24576:Xiln2+hjdsfdMks3KgZ32Z8ImwIQSEab+W0Ab:Xonzds1MkkKBZ8I1RSTb+m

Score
10/10
azorultcollectioncredential_accessdiscoveryexecutioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://kb1u.icu/GI341/index.php

Targets

    • Target

      rCRW51901537.exe

    • Size

      903KB

    • MD5

      5e61c03c8a975e86e792bfa3f671ba64

    • SHA1

      63ce77c1135445358dfae6f106e964546fdc025d

    • SHA256

      ea08fba535ff837c953efbd7e664aa22bec2f4784d2d66e3dea3b357b705d973

    • SHA512

      fe51514c8b8563b6e32a4369fab1d3f5af840768cdad3cd5887fbde5a9e47ac9edec446e2776fa3f998d71977fe8034e1da5069684389f6073ce78d910dedb20

    • SSDEEP

      24576:Xiln2+hjdsfdMks3KgZ32Z8ImwIQSEab+W0Ab:Xonzds1MkkKBZ8I1RSTb+m

    Score
    10/10
    discoveryexecutionazorultcollectioncredential_accessinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b55f7f1b17c39018910c23108f929082

    • SHA1

      1601f1cc0d0d6bcf35799b7cd15550cd01556172

    • SHA256

      c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

    • SHA512

      d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

    • SSDEEP

      96:L7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN538:RbGgGPzxeX6D8ZyGgmkN

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks