azorult

General

Target

10f41b40edbe42f4e5f8eb2e879c26415f46167fa3806496e0eda8f1095d3a24.exe
Size

432KB
Sample

201109-shdws7ftzs
MD5

152bed595f3e44a195dee429aa152024
SHA1

a1d84cab88ff991c4face20b14b2eebcf7682bb5
SHA256

10f41b40edbe42f4e5f8eb2e879c26415f46167fa3806496e0eda8f1095d3a24
SHA512

272d53cd66e70ce2ac018c6125bd3cd651e2255b0b8b335a1018a9e31652059a61c0d5df0150cee65e5b03c9012ede2856dc86125163c2aca9cd335d08ccc38b

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://exportersgateway.com/scr/em/index.php

Targets

- Target
  
  10f41b40edbe42f4e5f8eb2e879c26415f46167fa3806496e0eda8f1095d3a24.exe
- Size
  
  432KB
- MD5
  
  152bed595f3e44a195dee429aa152024
- SHA1
  
  a1d84cab88ff991c4face20b14b2eebcf7682bb5
- SHA256
  
  10f41b40edbe42f4e5f8eb2e879c26415f46167fa3806496e0eda8f1095d3a24
- SHA512
  
  272d53cd66e70ce2ac018c6125bd3cd651e2255b0b8b335a1018a9e31652059a61c0d5df0150cee65e5b03c9012ede2856dc86125163c2aca9cd335d08ccc38b
Score

10^/10

azorult agilenet discovery infostealer spyware trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- JavaScript code in executable
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

4

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

4

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

JavaScript code in executable

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2