azorult | 19c0312864d584912db9c26e1e52470276c02e8a309a8f9d58be6df48f50452f

General

Target

014777M.exe
Size

899KB
MD5

4d6869b4d193a2491e52b15dfa0bae81
SHA1

52f1c25066479318d5fad5d2f8af4d3855a0b987
SHA256

19c0312864d584912db9c26e1e52470276c02e8a309a8f9d58be6df48f50452f
SHA512

9edc876a4038aeb49e3403d28a1ae5a4cfd48a8d7019250ae00fd6f4f71cc7980164e51f5a250a9383197f3c372f57fd3c839e598c14382f426d6ef3a59fdf08

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://185.208.182.54/mmc/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

smevvevxd.pifRegSvcs.exe

pid process

1620 smevvevxd.pif
4076 RegSvcs.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

smevvevxd.pif

description pid process target process

PID 1620 set thread context of 4076 1620 smevvevxd.pif RegSvcs.exe

description	pid	process	target process
PID 1620 set thread context of 4076	1620	smevvevxd.pif	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvcs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

smevvevxd.pifRegSvcs.exe

pid	process
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
1620	smevvevxd.pif
4076	RegSvcs.exe
4076	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

014777M.exesmevvevxd.pif

description	pid	process	target process
PID 4052 wrote to memory of 1620	4052	014777M.exe	smevvevxd.pif
PID 4052 wrote to memory of 1620	4052	014777M.exe	smevvevxd.pif
PID 4052 wrote to memory of 1620	4052	014777M.exe	smevvevxd.pif
PID 1620 wrote to memory of 2500	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2500	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2500	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 192	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 192	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 192	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 4072	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 4072	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 4072	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2172	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2172	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2172	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 1548	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 1548	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 1548	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2096	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2096	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 2096	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 4080	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 4080	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 4080	1620	smevvevxd.pif	mshta.exe
PID 1620 wrote to memory of 4076	1620	smevvevxd.pif	RegSvcs.exe
PID 1620 wrote to memory of 4076	1620	smevvevxd.pif	RegSvcs.exe
PID 1620 wrote to memory of 4076	1620	smevvevxd.pif	RegSvcs.exe
PID 1620 wrote to memory of 4076	1620	smevvevxd.pif	RegSvcs.exe
PID 1620 wrote to memory of 4076	1620	smevvevxd.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\014777M.exe
"C:\Users\Admin\AppData\Local\Temp\014777M.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\43183237\smevvevxd.pif
"C:\Users\Admin\43183237\smevvevxd.pif" htaxb.are
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:2500

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:192

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:4072

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:2172

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1548

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:2096

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\43183237\htaxb.are

MD5
c0ba3245639a8bd5a253dd6f96747607

SHA1
bb53b21666154adb9ca23434f0ebf91bf2d79992

SHA256
be4eeda5b92f704fde773ab25c0a00ef3fe96a4645e0a558f9596345dc1ff578

SHA512
2cc6352dd7a12d2c32759db3708e2953493c736f0219f8c1e1250bdefbe94db2e46fbf2d369d941d936567fc95ebb70b74964fb1154eb687b1d19f110dc7d02c

Download Submit
C:\Users\Admin\43183237\smevvevxd.pif

MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\Users\Admin\43183237\smevvevxd.pif

MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\Users\Admin\43183237\xdshuo.docx

MD5
93654025608fcab723e0efa12b56ba1d

SHA1
721c84233c72d1daa3a657a885df8f2d9b716fbb

SHA256
9deff714f293ebfd6879b135a75fc1677f9aa60f5241a6cf382b298d0097aae3

SHA512
79fc16f13073af330ad2cb1566f2a660cf8d1977f30c1564f56b7f57ae95dfcfb3e48e4b4b779dd58621cdc774e2f2bfbeb3a47f6c911ff3da9165984fa8b2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/192-7-0x0000000000000000-mapping.dmp

Download
memory/1548-10-0x0000000000000000-mapping.dmp

Download
memory/1620-0-0x0000000000000000-mapping.dmp

Download
memory/1620-3-0x0000000072800000-0x0000000072893000-memory.dmp

Filesize
588KB

Download
memory/2096-11-0x0000000000000000-mapping.dmp

Download
memory/2172-9-0x0000000000000000-mapping.dmp

Download
memory/2500-6-0x0000000000000000-mapping.dmp

Download
memory/4072-8-0x0000000000000000-mapping.dmp

Download
memory/4076-14-0x0000000000F5A684-mapping.dmp

Download
memory/4076-13-0x0000000000F40000-0x0000000001482000-memory.dmp

Filesize
5.3MB

Download
memory/4076-17-0x0000000072800000-0x0000000072893000-memory.dmp

Filesize
588KB

Download
memory/4076-18-0x0000000000F40000-0x0000000001482000-memory.dmp

Filesize
5.3MB

Download
memory/4080-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads