azorult

General

Target

08ccc2acd5051dfb2f74e97fe6c5aa05e54773c59b6ad3ab56cb8805863f7860
Size

948KB
Sample

250318-hjqmmazky5
MD5

79bcf3d0593756dd9866be07622d661b
SHA1

c77302f02bd42abda32d9ff0e4bc1e7c9c373cd5
SHA256

08ccc2acd5051dfb2f74e97fe6c5aa05e54773c59b6ad3ab56cb8805863f7860
SHA512

c158ccd65d70a8e2aab64de42bf90247319446ca7da38ec4b4bc7340c16e2b9ead02438e42af59fb2445aece969225a06a0dc7d22f82e590791181feab802e8a
SSDEEP

24576:/Ru6yHVXrqIvRGKH32wdyf4MxB/C3OfIuZIjNYEUCmd:5urVbqIPFMf4M2+JIBRH0

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://3nsb51.icu/DK341/index.php

Targets

- Target
  
  2597_001.exe
- Size
  
  978KB
- MD5
  
  467a4d070f5bf1a6d85e6d84fe50a1cd
- SHA1
  
  ef5ba9e014b098342f2fd61a8aefc00242e630ac
- SHA256
  
  9f816cb1e61315c8e66f40303a29821044a975da560287d10fd958de1754b1fb
- SHA512
  
  9488630c6345d93e83da3a6abf9b15149ffa2d4b8cbb02d7ea87b8f1db539a04a07c0758cabb553f0d64c8eeb15681536fa4ecee42f5f1087177909e3b9b373a
- SSDEEP
  
  24576:xKDoTVvrGs5hGKHF+7MC8dyz4M1VTMtYZMQh+LLYEUo:3VDGspQB8Mz4Mgq9+/Rr
Score

10^/10

azorult guloader collection credential_access discovery downloader infostealer spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  174708997758321cf926b69318c6c3f5
- SHA1
  
  645488089bf320f6864e0d0bc284c85216e56fbd
- SHA256
  
  f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873
- SHA512
  
  214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054
- SSDEEP
  
  48:S46+/ZTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mCofjLl:zDuPbOBtWZBV8jAWiAJCdv2CmpL
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  0ff2d70cfdc8095ea99ca2dabbec3cd7
- SHA1
  
  10c51496d37cecd0e8a503a5a9bb2329d9b38116
- SHA256
  
  982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
- SHA512
  
  cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
- SSDEEP
  
  192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA
Score

3^/10

discovery
behavioral5 behavioral6