azorult | 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13

General

Target

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
Size

88KB
MD5

7e61b2b7856c264f9f70ccaef847494c
SHA1

aa0c219b24a943d0276cb98c3bd6237f24dd6887
SHA256

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13
SHA512

60b26c9acb0379fa8cb272eeac46d5a08766e5a00389121091ec66d255a5b2d1e4903346e963e097df6b88378e201b44f31d1bfc2117d3d9efc40e90284d5508

Score

10^/10

azorult infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1756-10-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/1756-12-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/1756-13-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def

Executes dropped EXE 3 IoCs

Processes:

fdsf.exefdsf.exefdsf.exe

pid process

1480 fdsf.exe
1764 fdsf.exe
1756 fdsf.exe

Checks QEMU agent state file 2 TTPs 2 IoCs

Checks state file used by QEMU agent, possibly to detect virtualization.

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe

description	ioc	process
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
File opened (read-only)	C:\ProgramData\qemu-ga\qga.state	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe

Loads dropped DLL 3 IoCs

Processes:

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exe

pid process

1020 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
1480 fdsf.exe
1480 fdsf.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1020	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
1480	fdsf.exe
1480	fdsf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe

pid	process
1296	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
1020	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
1020	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exe

description	pid	process	target process
PID 1296 set thread context of 1020	1296	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
PID 1480 set thread context of 1756	1480	fdsf.exe	fdsf.exe

Suspicious behavior: EnumeratesProcesses 166 IoCs

Processes:

fdsf.exefdsf.exe

pid	process
1480	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe
1756	fdsf.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe

pid process

1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fdsf.exefdsf.exe

description pid process

Token: SeDebugPrivilege 1480 fdsf.exe
Token: SeDebugPrivilege 1756 fdsf.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exe

pid process

1296 2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
1756 fdsf.exe
1756 fdsf.exe

description	pid	process
Token: SeDebugPrivilege	1480	fdsf.exe
Token: SeDebugPrivilege	1756	fdsf.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exefdsf.exefdsf.exe

description	pid	process	target process
PID 1296 wrote to memory of 1020	1296	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
PID 1296 wrote to memory of 1020	1296	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
PID 1296 wrote to memory of 1020	1296	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
PID 1296 wrote to memory of 1020	1296	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
PID 1296 wrote to memory of 1020	1296	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
PID 1020 wrote to memory of 1480	1020	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	fdsf.exe
PID 1020 wrote to memory of 1480	1020	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	fdsf.exe
PID 1020 wrote to memory of 1480	1020	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	fdsf.exe
PID 1020 wrote to memory of 1480	1020	2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe	fdsf.exe
PID 1480 wrote to memory of 1764	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1764	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1764	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1764	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1480 wrote to memory of 1756	1480	fdsf.exe	fdsf.exe
PID 1756 wrote to memory of 1072	1756	fdsf.exe	cmstp.exe
PID 1756 wrote to memory of 1072	1756	fdsf.exe	cmstp.exe
PID 1756 wrote to memory of 1072	1756	fdsf.exe	cmstp.exe
PID 1756 wrote to memory of 1072	1756	fdsf.exe	cmstp.exe
PID 1756 wrote to memory of 1072	1756	fdsf.exe	cmstp.exe
PID 1756 wrote to memory of 1072	1756	fdsf.exe	cmstp.exe
PID 1756 wrote to memory of 1072	1756	fdsf.exe	cmstp.exe

C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
"C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe"
1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe
"C:\Users\Admin\AppData\Local\Temp\2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13.exe"
2⤵
- Checks QEMU agent state file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\fdsf.exe
"C:\Users\Admin\AppData\Local\Temp\fdsf.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\fdsf.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1764

C:\Users\Admin\AppData\Local\Temp\fdsf.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

\??\c:\windows\SysWOW64\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\oapivsvn.inf
5⤵
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fdsf.exe
MD5
788fe4e8bdcff1069a879664b02410ec

SHA1
3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55

SHA256
fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

SHA512
b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdsf.exe
MD5
788fe4e8bdcff1069a879664b02410ec

SHA1
3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55

SHA256
fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

SHA512
b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdsf.exe
MD5
788fe4e8bdcff1069a879664b02410ec

SHA1
3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55

SHA256
fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

SHA512
b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdsf.exe
MD5
788fe4e8bdcff1069a879664b02410ec

SHA1
3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55

SHA256
fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

SHA512
b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Download Submit
C:\Windows\temp\oapivsvn.inf
MD5
488582f9401169c8bd9b8088bb469720

SHA1
7d2430a9a03cd7be21fa1c21e00f791febd2d4f2

SHA256
e74855808223a95010ddee92d1fb8079757e12f975e134b6c24d33f17a38c220

SHA512
2f387dcfda412107acd2c06e306d3ff24feb3de1ebadfac4e7ccbfa7b04cdbee812548ca8353150cf530840f487d7874cd8bfe56fb6b05920f515548428d9f38

Download Submit
\Users\Admin\AppData\Local\Temp\fdsf.exe
MD5
788fe4e8bdcff1069a879664b02410ec

SHA1
3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55

SHA256
fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

SHA512
b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Download Submit
\Users\Admin\AppData\Local\Temp\fdsf.exe
MD5
788fe4e8bdcff1069a879664b02410ec

SHA1
3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55

SHA256
fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

SHA512
b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Download Submit
\Users\Admin\AppData\Local\Temp\fdsf.exe
MD5
788fe4e8bdcff1069a879664b02410ec

SHA1
3931f99406bf4f8e5320bfd8c3b89a5fdc7b0d55

SHA256
fdf5e4a689691a96bf93bc3b34b6368b1902a5413980def6a864a57f0325ef4f

SHA512
b63d2495f737e0b6f58e0b25b5ca03280c6db4abbc9ca06a78192930cdea6586a3864daad819320c932915b81b55d1f0136726097e11c5b831cbf1944b354384

Download Submit
memory/1480-6-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1756-10-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1756-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1756-13-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads