Overview

overview

10

Static

static

3

f9bc382633...53.exe

windows7-x64

8

f9bc382633...53.exe

windows10-2004-x64

10

Wifiekie.ps1

windows7-x64

3

Wifiekie.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f9bc3826335bcf6a03da3b8743c2bdcbc7747962786a83c90fd2b1d3c8b85353.exe

  • Size

    490KB

  • Sample

    250320-e82veaxpy3

  • MD5

    71427e30168be4926a10fe21dae81c7a

  • SHA1

    aee4f1bec725c899b9a9f03f93a18a1947b79995

  • SHA256

    f9bc3826335bcf6a03da3b8743c2bdcbc7747962786a83c90fd2b1d3c8b85353

  • SHA512

    489c8f52af9111dd1c732afdd9d249c644da06892495c6bacc2f0f76b3d0b0b491fd2b5371f9859b676b2ae6b42039d4cc630e102f5774d2be92a839e3498847

  • SSDEEP

    12288:hd9jqKTPrjjpshfe+ZXP/51bt6YtRhp9S8Uy514LyYR27:zcK/5shfe+ZXZr7/hNU6OTR4

Score
10/10
azorultcollectioncredential_accessdiscoveryexecutioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://k1n4a.online/HL341/index.php

Targets

    • Target

      f9bc3826335bcf6a03da3b8743c2bdcbc7747962786a83c90fd2b1d3c8b85353.exe

    • Size

      490KB

    • MD5

      71427e30168be4926a10fe21dae81c7a

    • SHA1

      aee4f1bec725c899b9a9f03f93a18a1947b79995

    • SHA256

      f9bc3826335bcf6a03da3b8743c2bdcbc7747962786a83c90fd2b1d3c8b85353

    • SHA512

      489c8f52af9111dd1c732afdd9d249c644da06892495c6bacc2f0f76b3d0b0b491fd2b5371f9859b676b2ae6b42039d4cc630e102f5774d2be92a839e3498847

    • SSDEEP

      12288:hd9jqKTPrjjpshfe+ZXP/51bt6YtRhp9S8Uy514LyYR27:zcK/5shfe+ZXZr7/hNU6OTR4

    Score
    10/10
    discoveryexecutionazorultcollectioncredential_accessinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Wifiekie.Ove

    • Size

      52KB

    • MD5

      07c330dfa9d289638aff19bc6de49dd1

    • SHA1

      4818a80bf7242c8e57ccbc6236d3690362d23257

    • SHA256

      6fdda7b7b31726bcfce23627378558367eb2c93a3d6999dd3d999e04be63791f

    • SHA512

      52d12bbc1c4267db0c304c31ce430399b160a3f54ace43743a42d0db1450c87f738872caac4504f6f1693c2fffc6765680afc2cd90afc4165a70023bffb976c2

    • SSDEEP

      1536:wgwwRJEj3NddbJpwC+rKH90yVxFznzaILhpuPbnmkMPp:PXEj3Nrp2WdzaIL32bmkMPp

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks