azorult | 197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac

General

Target

197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
Size

588KB
MD5

f96504339eac3d66bcbf5747138ecd42
SHA1

b7934f3b5d67ad5855f405e958a218e1d2f43a0a
SHA256

197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac
SHA512

fa791e1c73666f3d3259eed938f3f4c4bd3b7a7e6a1000eea57071b10174ae5a0ca7f95746d513aace9389ff2a7f92e4424efec2a73abd5efd78695b3a850f86

Score

10^/10

azorult infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe

description	pid	process	target process
PID 740 set thread context of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 292 WerFault.exe 197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe

pid	pid_target	process	target process
1996	292	WerFault.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exeWerFault.exe

pid	process
740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
Token: SeDebugPrivilege	1996	WerFault.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe

description	pid	process	target process
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 740 wrote to memory of 292	740	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
PID 292 wrote to memory of 1996	292	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	WerFault.exe
PID 292 wrote to memory of 1996	292	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	WerFault.exe
PID 292 wrote to memory of 1996	292	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	WerFault.exe
PID 292 wrote to memory of 1996	292	197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
"C:\Users\Admin\AppData\Local\Temp\197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe
"C:\Users\Admin\AppData\Local\Temp\197137c5fd8c8051516f3004db4721d5d066b68d5d02695390a7e820635056ac.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 292 -s 432
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-212-0x000000000041A684-mapping.dmp

Download
memory/292-217-0x000000000041A684-mapping.dmp

Download
memory/292-220-0x000000000041A684-mapping.dmp

Download
memory/292-219-0x000000000041A684-mapping.dmp

Download
memory/292-218-0x000000000041A684-mapping.dmp

Download
memory/292-216-0x000000000041A684-mapping.dmp

Download
memory/292-213-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/740-197-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/740-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/740-210-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/740-196-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/740-116-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/740-115-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/740-7-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/740-6-0x0000000000260000-0x000000000027F000-memory.dmp

Filesize
124KB

Download
memory/740-5-0x0000000000210000-0x0000000000227000-memory.dmp

Filesize
92KB

Download
memory/740-3-0x0000000001090000-0x0000000001091000-memory.dmp

Filesize
4KB

Download
memory/1996-214-0x0000000000000000-mapping.dmp

Download
memory/1996-215-0x00000000020C0000-0x00000000020D1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads