Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 18:01
Static task
static1
Behavioral task
behavioral1
Sample
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe
Resource
win10
General
-
Target
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe
-
Size
613KB
-
MD5
f39696f5a42d2d53c17050bbfcc5154e
-
SHA1
8f5b5241ffbff92bc59d5801c064b881fbdd69dc
-
SHA256
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f
-
SHA512
2eee98e43403d6740501dfe479529eb429ec300845691f8c81b38940cfa65d689fba48267abd42ed7f3532646b4f714a0fbba230871cced7fc9b8d6bc67f3f28
Malware Config
Extracted
azorult
http://45.95.168.162/city/index.php
Signatures
-
Suspicious behavior: EnumeratesProcesses 2672 IoCs
Processes:
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exepid process 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 8 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exedescription pid process target process PID 3100 wrote to memory of 3936 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe PID 3100 wrote to memory of 3936 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe PID 3100 wrote to memory of 3936 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe PID 3100 wrote to memory of 8 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe PID 3100 wrote to memory of 8 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe PID 3100 wrote to memory of 8 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exepid process 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exedescription pid process target process PID 3100 set thread context of 3936 3100 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe 5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe -
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe"C:\Users\Admin\AppData\Local\Temp\5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe"C:\Users\Admin\AppData\Local\Temp\5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe"2⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe"C:\Users\Admin\AppData\Local\Temp\5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f.exe" 2 3936 586402⤵
- Suspicious behavior: EnumeratesProcesses
PID:8