azorult

General

Target

HSBC_PAYMENT_ADVICE.exe
Size

990KB
Sample

250318-hw6vdawxew
MD5

5c09efb4b470be007ec32c8b75573778
SHA1

56bf0096d00744a62ebc6d92a8d946f0ea640bc3
SHA256

a2c99657a4ad9ee39ac142a3a531378b58b716cc08af27046667cee10c3c07d2
SHA512

392bdc9e67ff1088e8a7257da1a558be4dd917873f5fcdf49693411d1afad9e04dc05e15755ae15d31d296d6584f2f110572c2002a83da074a277f2c65c373b1
SSDEEP

24576:hK5QwkDX9VadkI7t+7MC8dyz4M1VTMtYZMQh+LLYEUoA:GuVaddIB8Mz4Mgq9+/RrA

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://j4b2.icu/TL341/index.php

Targets

- Target
  
  HSBC_PAYMENT_ADVICE.exe
- Size
  
  990KB
- MD5
  
  5c09efb4b470be007ec32c8b75573778
- SHA1
  
  56bf0096d00744a62ebc6d92a8d946f0ea640bc3
- SHA256
  
  a2c99657a4ad9ee39ac142a3a531378b58b716cc08af27046667cee10c3c07d2
- SHA512
  
  392bdc9e67ff1088e8a7257da1a558be4dd917873f5fcdf49693411d1afad9e04dc05e15755ae15d31d296d6584f2f110572c2002a83da074a277f2c65c373b1
- SSDEEP
  
  24576:hK5QwkDX9VadkI7t+7MC8dyz4M1VTMtYZMQh+LLYEUoA:GuVaddIB8Mz4Mgq9+/RrA
Score

10^/10

azorult guloader collection credential_access discovery downloader infostealer spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- Guloader family
  guloader
- Guloader,Cloudeye
  A shellcode based downloader first seen in 2020.
  downloader guloader
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Loads dropped DLL
- Reads WinSCP keys stored on the system
  Tries to access WinSCP stored sessions.
  spyware stealer
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  174708997758321cf926b69318c6c3f5
- SHA1
  
  645488089bf320f6864e0d0bc284c85216e56fbd
- SHA256
  
  f577b66492e97c7b8bf515398d8deb745abafd74f56fc03e67fce248ebbeb873
- SHA512
  
  214433597e04ca1ff9b4fe092d5d2997707a7c56f0f82c85d586088a200e4455028f3b9427d87b4f06f9252557d5be4b7a9138ea6a8d045df6209421fd8ca054
- SSDEEP
  
  48:S46+/ZTKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mCofjLl:zDuPbOBtWZBV8jAWiAJCdv2CmpL
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  11KB
- MD5
  
  0ff2d70cfdc8095ea99ca2dabbec3cd7
- SHA1
  
  10c51496d37cecd0e8a503a5a9bb2329d9b38116
- SHA256
  
  982c5fb7ada7d8c9bc3e419d1c35da6f05bc5dd845940c179af3a33d00a36a8b
- SHA512
  
  cb5fc0b3194f469b833c2c9abf493fcec5251e8609881b7f5e095b9bd09ed468168e95dda0ba415a7d8d6b7f0dee735467c0ed8e52b223eb5359986891ba6e2e
- SSDEEP
  
  192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA
Score

3^/10

discovery
behavioral5 behavioral6