Overview

overview

10

Static

static

3

MG710417.exe

windows7-x64

8

MG710417.exe

windows10-2004-x64

10

Los107.ps1

windows7-x64

3

Los107.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MG710417.exe

  • Size

    715KB

  • Sample

    250311-sk7yeawnt6

  • MD5

    66ef84b6805972a29ec37b229201a9ca

  • SHA1

    a0bd886bfd638ad32eaf0a024aa02249a06ee96f

  • SHA256

    a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54

  • SHA512

    ecca6d0cc05d3fabb747a045ca3b6491db136ea1e3a6249b7324841ce118378001a6e6e3dc46ef57f2d7f8efc1f8392bd6fa49a9d08f76f352ed2c5997561834

  • SSDEEP

    12288:2i6dsV0pMDI2RM5Sl96gUIfK/URUiPn98zC/2qvhHWUnHZW9dF/:cckemG96zIfmetn+hWBWU5WN/

Score
10/10
azorultcollectioncredential_accessdiscoveryexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://gd53.cfd/TL341/index.php

Targets

    • Target

      MG710417.exe

    • Size

      715KB

    • MD5

      66ef84b6805972a29ec37b229201a9ca

    • SHA1

      a0bd886bfd638ad32eaf0a024aa02249a06ee96f

    • SHA256

      a56436df8a2fedd2624c035ab834db76f6ee24d636a9a72d5fa4c04f7b0daa54

    • SHA512

      ecca6d0cc05d3fabb747a045ca3b6491db136ea1e3a6249b7324841ce118378001a6e6e3dc46ef57f2d7f8efc1f8392bd6fa49a9d08f76f352ed2c5997561834

    • SSDEEP

      12288:2i6dsV0pMDI2RM5Sl96gUIfK/URUiPn98zC/2qvhHWUnHZW9dF/:cckemG96zIfmetn+hWBWU5WN/

    Score
    10/10
    discoveryexecutionazorultcollectioncredential_accessinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Los107.Raj

    • Size

      55KB

    • MD5

      fd68605dede5dff48ac0498675704de0

    • SHA1

      f1150379e8b26b01329c9af71dcaee0baf3ce819

    • SHA256

      b4bcc505d66a46af9185af84e5472ef5045cf4abfe722207076d34fbf6df40d7

    • SHA512

      36f1b2ed7cfe46141deef05cc236941363bd2ef54b3e627312f3f81d3217403a65ee4e1c94e6dce3edad99178e1263ab80f5d10b821bbf585ebdfd1b1400491f

    • SSDEEP

      1536:XyhNN+u6AmjiFn3849RlX1Kdwfcdivcr8n:ihr4+nnlKTEUu

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks