azorult | 48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73

Analysis

max time kernel
123s
max time network
123s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe
Size

1016KB
MD5

329eb21fd7ed1e184c14f77a998dff71
SHA1

0ef2938890ed8352c65763a0450ae8754d499f87
SHA256

48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73
SHA512

9ffda07a378394a08b93ed09b7c91136cc00e5fc944ad6426368509690e0d9258406cad25473553ed954cf60af76e5649e6eb3a4f3e3cfc2698202816f2e2900

Score

10^/10

azorult discovery infostealer spyware trojan

Malware Config

Extracted

Family

azorult

http://185.208.182.54/mmc/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

dbhvfiti.pifRegSvcs.exe

pid process

3444 dbhvfiti.pif
2676 RegSvcs.exe
Loads dropped DLL 4 IoCs

Processes:

RegSvcs.exe

pid process

2676 RegSvcs.exe
2676 RegSvcs.exe
2676 RegSvcs.exe
2676 RegSvcs.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
2676	RegSvcs.exe
2676	RegSvcs.exe
2676	RegSvcs.exe
2676	RegSvcs.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll	js

Suspicious use of SetThreadContext 1 IoCs

Processes:

dbhvfiti.pif

description pid process target process

PID 3444 set thread context of 2676 3444 dbhvfiti.pif RegSvcs.exe

description	pid	process	target process
PID 3444 set thread context of 2676	3444	dbhvfiti.pif	RegSvcs.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegSvcs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

dbhvfiti.pifRegSvcs.exe

pid	process
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
3444	dbhvfiti.pif
2676	RegSvcs.exe
2676	RegSvcs.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exedbhvfiti.pif

description	pid	process	target process
PID 3980 wrote to memory of 3444	3980	48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe	dbhvfiti.pif
PID 3980 wrote to memory of 3444	3980	48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe	dbhvfiti.pif
PID 3980 wrote to memory of 3444	3980	48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe	dbhvfiti.pif
PID 3444 wrote to memory of 416	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 416	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 416	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 3360	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 3360	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 3360	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1120	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1120	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1120	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1988	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1988	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1988	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1240	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1240	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1240	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 3892	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 3892	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 3892	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1960	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1960	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 1960	3444	dbhvfiti.pif	mshta.exe
PID 3444 wrote to memory of 2676	3444	dbhvfiti.pif	RegSvcs.exe
PID 3444 wrote to memory of 2676	3444	dbhvfiti.pif	RegSvcs.exe
PID 3444 wrote to memory of 2676	3444	dbhvfiti.pif	RegSvcs.exe
PID 3444 wrote to memory of 2676	3444	dbhvfiti.pif	RegSvcs.exe
PID 3444 wrote to memory of 2676	3444	dbhvfiti.pif	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe
"C:\Users\Admin\AppData\Local\Temp\48491053b3ea162d0dd1b8213809e8f942ae30964c0963daf856d5c310e6be73.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\36534553\dbhvfiti.pif
"C:\36534553\dbhvfiti.pif" avxoqwc.voe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:416

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:3360

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1120

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1988

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1240

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:3892

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\36534553\avxoqwc.voe
MD5
344db84184d0dad4dd7debdd590d57db

SHA1
58e68a495c1aac9c7f326fed10a299d2e79bb2fd

SHA256
d5d630c7659d9e8eb4b0bb704515eb5020fb759586a22ede35f6847811736887

SHA512
3dfe65e3ad0cc68c21702b8a30c05c43020dafcae399511efb911fc0fbf692d02dba74e62401a76f56970a7fed3b9bc4c0439b44a88bf8f748b3df6e8c712fb2

Download Submit
C:\36534553\cgrmrtk.msc
MD5
5bee1e3b54aef4f9e6886466aa6697ec

SHA1
eb45ab8498207b1fe9ec1b1e747f286d2c1459af

SHA256
9f0489c9624c5c7ad1d3e02368940b5a0a3a5cc114a474ed9d3c9cefd2f6ee7e

SHA512
5a86f7300a9266ba5ea6573aaecafce94138b2fb3092ac4ce6b9a9edf79efc686aaf89749c535765ad762b7b1eedab89a74dae7a502aabf5fe63d67c93e88301

Download Submit
C:\36534553\dbhvfiti.pif
MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\36534553\dbhvfiti.pif
MD5
43e7db53ce5c130179aef5b47dcf7608

SHA1
5398e207d9ad301860b570d87601c1664ada9c0a

SHA256
9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

SHA512
a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\mozglue.dll
MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\CE87CE80\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/416-7-0x0000000000000000-mapping.dmp

Download
memory/1120-9-0x0000000000000000-mapping.dmp

Download
memory/1240-11-0x0000000000000000-mapping.dmp

Download
memory/1960-13-0x0000000000000000-mapping.dmp

Download
memory/1988-10-0x0000000000000000-mapping.dmp

Download
memory/2676-14-0x0000000000F60000-0x00000000014B9000-memory.dmp

Filesize
5.3MB

Download
memory/2676-18-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/2676-19-0x0000000000F60000-0x00000000014B9000-memory.dmp

Filesize
5.3MB

Download
memory/2676-15-0x0000000000F7A684-mapping.dmp

Download
memory/3360-8-0x0000000000000000-mapping.dmp

Download
memory/3444-1-0x0000000000000000-mapping.dmp

Download
memory/3444-4-0x0000000072BC0000-0x0000000072C53000-memory.dmp

Filesize
588KB

Download
memory/3892-12-0x0000000000000000-mapping.dmp

Download