azorult | ea9930998c8123058a6d1768c857bf6504a933be30556afb4dad2e192e4e8c45

General

Target

SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
Size

485KB
MD5

cc219392a073e3c644174607af417b93
SHA1

bc886a54b29a6176d88809a364c669d013403378
SHA256

ea9930998c8123058a6d1768c857bf6504a933be30556afb4dad2e192e4e8c45
SHA512

d72ce4cbd922007ac0e092826cfdc7a15071a4754404095aafba3a1fd9bcf86b24091ff9aed1f2f6b5535787253cf34707e08c036b0399acc42fa7fd4959659b

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://workwithjoshuaking.com/ssq/cow/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

ServiceHost packer 8 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/3960-22-0x000000000041A1F8-mapping.dmp	servicehost
behavioral2/memory/3960-24-0x000000000041A1F8-mapping.dmp	servicehost
behavioral2/memory/3960-23-0x000000000041A1F8-mapping.dmp	servicehost
behavioral2/memory/3960-25-0x000000000041A1F8-mapping.dmp	servicehost
behavioral2/memory/3960-26-0x000000000041A1F8-mapping.dmp	servicehost
behavioral2/memory/3960-28-0x000000000041A1F8-mapping.dmp	servicehost
behavioral2/memory/3960-30-0x000000000041A1F8-mapping.dmp	servicehost
behavioral2/memory/3960-32-0x000000000041A1F8-mapping.dmp	servicehost

Executes dropped EXE 2 IoCs

Processes:

AddInProcess32.exeAddInProcess32.exe

pid process

3784 AddInProcess32.exe
3960 AddInProcess32.exe
Loads dropped DLL 2 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe

pid process

3948 SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
3948 SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
3784	AddInProcess32.exe
3960	AddInProcess32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe

description	pid	process	target process
PID 3948 set thread context of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 set thread context of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2632	3948	WerFault.exe	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
1340	3960	WerFault.exe	AddInProcess32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AddInProcess32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exeAddInProcess32.exeWerFault.exeWerFault.exe

pid	process
3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
3784	AddInProcess32.exe
3784	AddInProcess32.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe
2632	WerFault.exe
1340	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
Token: SeTakeOwnershipPrivilege	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
Token: SeRestorePrivilege	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
Token: SeRestorePrivilege	2632	WerFault.exe
Token: SeBackupPrivilege	2632	WerFault.exe
Token: SeDebugPrivilege	1340	WerFault.exe
Token: SeDebugPrivilege	2632	WerFault.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe

description	pid	process	target process
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3784	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe
PID 3948 wrote to memory of 3960	3948	SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.34955709.32167.29009.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
2⤵
- Executes dropped EXE
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 1160
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 1564
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
\Users\Admin\AppData\Local\Temp\e34dd831-6d57-4d92-81ec-c008864dca6e\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/1340-35-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1340-20-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/2632-29-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2632-19-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/3784-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3784-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3784-11-0x000000000041A1F8-mapping.dmp

Download
memory/3948-8-0x0000000006C00000-0x0000000006C16000-memory.dmp

Filesize
88KB

Download
memory/3948-3-0x0000000005080000-0x00000000050B2000-memory.dmp

Filesize
200KB

Download
memory/3948-0-0x0000000073660000-0x0000000073D4E000-memory.dmp

Filesize
6.9MB

Download
memory/3948-7-0x0000000006C50000-0x0000000006C51000-memory.dmp

Filesize
4KB

Download
memory/3948-6-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/3948-5-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/3948-1-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/3960-24-0x000000000041A1F8-mapping.dmp

Download
memory/3960-23-0x000000000041A1F8-mapping.dmp

Download
memory/3960-25-0x000000000041A1F8-mapping.dmp

Download
memory/3960-26-0x000000000041A1F8-mapping.dmp

Download
memory/3960-28-0x000000000041A1F8-mapping.dmp

Download
memory/3960-30-0x000000000041A1F8-mapping.dmp

Download
memory/3960-32-0x000000000041A1F8-mapping.dmp

Download
memory/3960-16-0x000000000041A1F8-mapping.dmp

Download
memory/3960-22-0x000000000041A1F8-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads