azorult | c63d4581dbe839bdb9865bcb6033e9e0ef459d1c5406e9f4fd3a05f48b46d0f1

General

Target

211d05482c1fd312825c60c66efc9422.exe
Size

583KB
MD5

211d05482c1fd312825c60c66efc9422
SHA1

97bebe8dc282978e45a10c7fc2b4d3c557fa9208
SHA256

c63d4581dbe839bdb9865bcb6033e9e0ef459d1c5406e9f4fd3a05f48b46d0f1
SHA512

4b839ab094bc55153dbe3bd62516c389ed50942f2c18a44870e12a0f5e6eb793a0b47e63739c6c2fae854e45a9ef7130557bed367696798cc1737ad9fcf16a69

Score

10^/10

Family

azorult

C2

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

211d05482c1fd312825c60c66efc9422.exe

description pid process target process

PID 508 set thread context of 3064 508 211d05482c1fd312825c60c66efc9422.exe mscorsvw.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2068 3064 WerFault.exe mscorsvw.exe

description	pid	process	target process
PID 508 set thread context of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe

pid	pid_target	process	target process
2068	3064	WerFault.exe	mscorsvw.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

211d05482c1fd312825c60c66efc9422.exeWerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

211d05482c1fd312825c60c66efc9422.exe

description	pid	process	target process
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe
PID 508 wrote to memory of 3064	508	211d05482c1fd312825c60c66efc9422.exe	mscorsvw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
2⤵
PID:3064

memory/508-11-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/508-9-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/508-5-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/508-6-0x0000000004F90000-0x0000000004FA7000-memory.dmp

Filesize
92KB

Download
memory/508-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/508-8-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/508-3-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/508-10-0x0000000007950000-0x000000000795A000-memory.dmp

Filesize
40KB

Download
memory/508-7-0x0000000004FC0000-0x0000000004FDF000-memory.dmp

Filesize
124KB

Download
memory/2068-16-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/3064-13-0x000000000041A684-mapping.dmp

Download
memory/3064-14-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/3064-15-0x0000000000700000-0x0000000000720000-memory.dmp

Filesize
128KB

Download
memory/3064-18-0x000000000041A684-mapping.dmp

Download
memory/3064-17-0x000000000041A684-mapping.dmp

Download
memory/3064-19-0x000000000041A684-mapping.dmp

Download