azorult | f540fb6b1e7f9612aa1ca6347c6de7a54ab883bcd23463a5011d0cbc57383974

General

Target

256057e4f992644fc9c1afe381f11ac1.exe
Size

714KB
MD5

256057e4f992644fc9c1afe381f11ac1
SHA1

1d31b5e458ab0fca9f494104671406082dc893f8
SHA256

f540fb6b1e7f9612aa1ca6347c6de7a54ab883bcd23463a5011d0cbc57383974
SHA512

94e264f2c159908d60ad57b7464e22b52d518b73a419f9bb940634862978cd058e244ecc0539e12dd10d94485d34d8340b7f26be5861179e5bc2d261fd430003

Score

10^/10

spyware discovery trojan infostealer azorult

Malware Config

Extracted

Family

azorult

C2

http://82.165.75.233/index.php

Signatures

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

256057e4f992644fc9c1afe381f11ac1.exe256057e4f992644fc9c1afe381f11ac1.exe

pid	process
3536	256057e4f992644fc9c1afe381f11ac1.exe
3536	256057e4f992644fc9c1afe381f11ac1.exe
3800	256057e4f992644fc9c1afe381f11ac1.exe
3800	256057e4f992644fc9c1afe381f11ac1.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

256057e4f992644fc9c1afe381f11ac1.exe

description	pid	process	target process
PID 3536 wrote to memory of 3800	3536	256057e4f992644fc9c1afe381f11ac1.exe	256057e4f992644fc9c1afe381f11ac1.exe
PID 3536 wrote to memory of 3800	3536	256057e4f992644fc9c1afe381f11ac1.exe	256057e4f992644fc9c1afe381f11ac1.exe
PID 3536 wrote to memory of 3800	3536	256057e4f992644fc9c1afe381f11ac1.exe	256057e4f992644fc9c1afe381f11ac1.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

256057e4f992644fc9c1afe381f11ac1.exe

pid process

3536 256057e4f992644fc9c1afe381f11ac1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

256057e4f992644fc9c1afe381f11ac1.exe

description pid process target process

PID 3536 set thread context of 3800 3536 256057e4f992644fc9c1afe381f11ac1.exe 256057e4f992644fc9c1afe381f11ac1.exe

description	pid	process	target process
PID 3536 set thread context of 3800	3536	256057e4f992644fc9c1afe381f11ac1.exe	256057e4f992644fc9c1afe381f11ac1.exe

Checks for installed software on the system 1 TTPs 31 IoCs

discovery

Query Registry

T1012

Processes:

256057e4f992644fc9c1afe381f11ac1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	256057e4f992644fc9c1afe381f11ac1.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	256057e4f992644fc9c1afe381f11ac1.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	256057e4f992644fc9c1afe381f11ac1.exe

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Loads dropped DLL 4 IoCs

Processes:

256057e4f992644fc9c1afe381f11ac1.exe

pid	process
3800	256057e4f992644fc9c1afe381f11ac1.exe
3800	256057e4f992644fc9c1afe381f11ac1.exe
3800	256057e4f992644fc9c1afe381f11ac1.exe
3800	256057e4f992644fc9c1afe381f11ac1.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

256057e4f992644fc9c1afe381f11ac1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	256057e4f992644fc9c1afe381f11ac1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	256057e4f992644fc9c1afe381f11ac1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe
"C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3536

C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe
"C:\Users\Admin\AppData\Local\Temp\256057e4f992644fc9c1afe381f11ac1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Checks for installed software on the system
- Loads dropped DLL
- Checks processor information in registry
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\2fda\mozglue.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\msvcp140.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\nss3.dll

Download Submit
\Users\Admin\AppData\Local\Temp\2fda\vcruntime140.dll

Download Submit
memory/3800-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3800-1-0x000000000041A1F8-mapping.dmp

Download
memory/3800-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads