Extracted

• • Target

    8251eb64179cc43bf27807daee64dc366cdf0ea7a5b79424b15a38bd64e934c8

  • Size

    4.6MB

  • MD5

    9477fb9ee926c590fed50efc8bff65ed

  • SHA1

    d5dc147a31a6adce4be7b59efa97710dd62eb77d

  • SHA256

    8251eb64179cc43bf27807daee64dc366cdf0ea7a5b79424b15a38bd64e934c8

  • SHA512

    6c6ab540c7b235a4f367b1b9e5d138650d030b07b044ed67f40c013846f0361792053efd9021bcd6db90d3122632fca160547bca866b68859d059f124649dd07

  • SSDEEP

    98304:EL4L90sBb8VQNvZNGQA/A3BRbT5CWXhZt0vU8buP1pi4YGjs5AcqR:EYRBblNvGQA/ARRbYWXhH09uP1pwwUCR

  Score

  10^/10

  azorultdefense_evasiondiscoveryinfostealertrojan

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Azorult family

    azorult

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion

  • Loads dropped DLL

  • Legitimate hosting services abused for malware hosting/C2

  • AutoIT Executable

    AutoIT scripts compiled to PE executables.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2