azorult | c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc

General

Target

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
Size

665KB
MD5

5a53757b89c36371c230f538af7c88be
SHA1

700d6f4842b10e50241af15a76193d0e8589c919
SHA256

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc
SHA512

4ec554af412268d8630522ec11a0e765d64cfa1632b2e37983e4d83058f5a526acc769175f0044cfed7d559ff08ddd01b1f7b0cc4c86e69b92bc1cc552e5c631

Score

10^/10

azorult evasion infostealer trojan

Malware Config

Extracted

Family

azorult

C2

https://www.colegionewtonsatipo.com/wp/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

description	pid	process	target process
PID 1136 set thread context of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3320 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

pid process

1136 c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

description pid process

Token: SeDebugPrivilege 1136 c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

pid	process
3320	schtasks.exe

pid	process
1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

description	pid	process
Token: SeDebugPrivilege	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

description	pid	process	target process
PID 1136 wrote to memory of 3320	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	schtasks.exe
PID 1136 wrote to memory of 3320	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	schtasks.exe
PID 1136 wrote to memory of 3320	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	schtasks.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
PID 1136 wrote to memory of 388	1136	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe	c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe

C:\Users\Admin\AppData\Local\Temp\c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
"C:\Users\Admin\AppData\Local\Temp\c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GdqmbibzRCsneB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A1C.tmp"
2⤵
- Creates scheduled task(s)
PID:3320

C:\Users\Admin\AppData\Local\Temp\c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe
"C:\Users\Admin\AppData\Local\Temp\c466e40f734907249b98c31faefbf51c6da78cfa88159f03f661a7b8157babbc.exe"
2⤵
PID:388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3A1C.tmp
MD5
d4c80e213c594b1481d3f91d44bb2093

SHA1
f01b26950cec5fb3fca6cb7ce54b3792b2d08d53

SHA256
e485b64a920a3ffb6057fb5ec63b98c6ce85ea0bf8ee85fea076b50277e327d9

SHA512
b0684080bcb38b1672c58188701babd884dd9b3261e35484ecd93c7b0bf1090c42ae056a30e96dfb110790d0d4b735ee11cb795c5847a03c6b1143a285f82fe1

Download Submit
memory/388-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/388-15-0x000000000041A684-mapping.dmp

Download
memory/388-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1136-5-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1136-6-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1136-7-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/1136-8-0x0000000004E80000-0x0000000004E8B000-memory.dmp

Filesize
44KB

Download
memory/1136-9-0x00000000059E0000-0x0000000005A33000-memory.dmp

Filesize
332KB

Download
memory/1136-10-0x0000000000C80000-0x0000000000C9F000-memory.dmp

Filesize
124KB

Download
memory/1136-11-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/1136-0-0x0000000073BE0000-0x00000000742CE000-memory.dmp

Filesize
6.9MB

Download
memory/1136-4-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/1136-3-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/1136-1-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3320-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads