azorult | fd975fd3af1f754bf7b03eca4ae29e3054f34f7176b26c2578efddde76947f70

General

Target

MTIR20283256_2101013335_20200507083759.PDF.exe
Size

406KB
MD5

6c378a9a4067f1affdb254dfa96943da
SHA1

12911df0be6ae9f4292038e60c5aad41073c55fd
SHA256

fd975fd3af1f754bf7b03eca4ae29e3054f34f7176b26c2578efddde76947f70
SHA512

33dc7b3b743bc77efea699a3508b4fbe1f0707cd6ad38f9cba8a1257b4c881d5cf6212d3c3a8cf1e3efe46dadff55747b1dee0b6df8942e268891e2a3d8f3858

Score

10^/10

azorult coreentity infostealer rezer0 trojan

Malware Config

Extracted

Family

azorult

C2

http://ensaenerji.com/mep/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral2/memory/3976-6-0x00000000050F0000-0x00000000050F3000-memory.dmp	coreentity

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/3976-7-0x0000000006C40000-0x0000000006C64000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.PDF.exe

description	pid	process	target process
PID 3976 set thread context of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2136 2412 WerFault.exe MTIR20283256_2101013335_20200507083759.PDF.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1144 schtasks.exe

pid	pid_target	process	target process
2136	2412	WerFault.exe	MTIR20283256_2101013335_20200507083759.PDF.exe

pid	process
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.PDF.exeWerFault.exe

pid	process
3976	MTIR20283256_2101013335_20200507083759.PDF.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe
2136	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.PDF.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3976	MTIR20283256_2101013335_20200507083759.PDF.exe
Token: SeRestorePrivilege	2136	WerFault.exe
Token: SeBackupPrivilege	2136	WerFault.exe
Token: SeDebugPrivilege	2136	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MTIR20283256_2101013335_20200507083759.PDF.exe

description	pid	process	target process
PID 3976 wrote to memory of 1144	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	schtasks.exe
PID 3976 wrote to memory of 1144	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	schtasks.exe
PID 3976 wrote to memory of 1144	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	schtasks.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe
PID 3976 wrote to memory of 2412	3976	MTIR20283256_2101013335_20200507083759.PDF.exe	MTIR20283256_2101013335_20200507083759.PDF.exe

C:\Users\Admin\AppData\Local\Temp\MTIR20283256_2101013335_20200507083759.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\MTIR20283256_2101013335_20200507083759.PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XeIkxtypDQCl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3CEF.tmp"
2⤵
- Creates scheduled task(s)
PID:1144

C:\Users\Admin\AppData\Local\Temp\MTIR20283256_2101013335_20200507083759.PDF.exe
"{path}"
2⤵
PID:2412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 1196
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3CEF.tmp
MD5
92bc2d7b231dd192b858d4a4f162d221

SHA1
9f9832ea167ab62c0b91f4e443a89b0cb58bd2c3

SHA256
048ecfd079114ca4cad7ffd5da949e74d0ed2bd265c4d5308e35cd88c86140d3

SHA512
7088f2c7defddfb3c1673c46c20cce26019e47a33dc6cd1c181abcb48cce1a374415e39b356f2d0a2d71de5d34d4f0af61e20a66ed19d68bec6afb04f89b28b1

Download Submit
memory/1144-9-0x0000000000000000-mapping.dmp

Download
memory/2136-24-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2136-14-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2412-18-0x000000000041A1F8-mapping.dmp

Download
memory/2412-17-0x000000000041A1F8-mapping.dmp

Download
memory/2412-22-0x000000000041A1F8-mapping.dmp

Download
memory/2412-23-0x000000000041A1F8-mapping.dmp

Download
memory/2412-21-0x000000000041A1F8-mapping.dmp

Download
memory/2412-20-0x000000000041A1F8-mapping.dmp

Download
memory/2412-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2412-12-0x000000000041A1F8-mapping.dmp

Download
memory/2412-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2412-19-0x000000000041A1F8-mapping.dmp

Download
memory/2412-15-0x000000000041A1F8-mapping.dmp

Download
memory/2412-16-0x000000000041A1F8-mapping.dmp

Download
memory/3976-4-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3976-3-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/3976-0-0x0000000073920000-0x000000007400E000-memory.dmp

Filesize
6.9MB

Download
memory/3976-6-0x00000000050F0000-0x00000000050F3000-memory.dmp

Filesize
12KB

Download
memory/3976-5-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/3976-8-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/3976-7-0x0000000006C40000-0x0000000006C64000-memory.dmp

Filesize
144KB

Download
memory/3976-1-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads