azorult | 5d21ac6bca0ba98cba5930bc0ad3bc702615c3169f8fd73535f920adb8f547b3

General

Target

Purchase Order.exe
Size

248KB
MD5

47d75d97c84b7f0381f7397c2234ac07
SHA1

c8d49410da62c0e7dd37b5f6403b03be0eb71857
SHA256

5d21ac6bca0ba98cba5930bc0ad3bc702615c3169f8fd73535f920adb8f547b3
SHA512

f506c875b97f7693eecaa9a03dcf8b3e9ad98c809bda1e45599e052331b80df4ee3b9a79b64f2347d6f61bdfde95f647a1389922ac6afb6ff87ce1e55c9c3f14

Score

10^/10

discovery trojan infostealer azorult spyware

Malware Config

Extracted

Family

azorult

C2

https://www.nirjhara.com/mine/32/index.php

Signatures

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Purchase Order.exe

description	pid	process	target process
PID 1424 wrote to memory of 828	1424	Purchase Order.exe	Purchase Order.exe
PID 1424 wrote to memory of 828	1424	Purchase Order.exe	Purchase Order.exe
PID 1424 wrote to memory of 828	1424	Purchase Order.exe	Purchase Order.exe
PID 1424 wrote to memory of 828	1424	Purchase Order.exe	Purchase Order.exe
PID 1424 wrote to memory of 828	1424	Purchase Order.exe	Purchase Order.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Purchase Order.exe

pid process

1424 Purchase Order.exe
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1424	Purchase Order.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Purchase Order.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Purchase Order.exe

description pid process

Token: SeDebugPrivilege 1424 Purchase Order.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Purchase Order.exe

description pid process target process

PID 1424 set thread context of 828 1424 Purchase Order.exe Purchase Order.exe

description	pid	process
Token: SeDebugPrivilege	1424	Purchase Order.exe

description	pid	process	target process
PID 1424 set thread context of 828	1424	Purchase Order.exe	Purchase Order.exe

Loads dropped DLL 16 IoCs

Processes:

Purchase Order.exe

pid	process
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe
828	Purchase Order.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Purchase Order.exe

pid process

828 Purchase Order.exe

Checks for installed software on the system 1 TTPs 30 IoCs

discovery

Query Registry

T1012

Processes:

Purchase Order.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	Purchase Order.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	Purchase Order.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	Purchase Order.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	Purchase Order.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	Purchase Order.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1424

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"Purchase Order.exe"
2⤵
- Checks processor information in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
memory/828-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/828-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/828-1-0x000000000041A1F8-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads