azorult | 788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0

General

Target

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
Size

826KB
MD5

4b1703f0fedf97b6fd5ed404a790236c
SHA1

f9712dae7825a77bd33ed623ca335378a161c502
SHA256

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0
SHA512

4c874f3e6288e7081cc84286aad67b8b344050d9c6559e0f05b676c6e75a9c8dca3b6cc9383bbf3946189d7eafdec078f25b162d0f63787ae419def7221a7da0

Score

10^/10

azorult evasion infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://al-ifah.com/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

description	pid	process	target process
PID 4052 set thread context of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3176 schtasks.exe

pid	process
3176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

pid	process
4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

description pid process

Token: SeDebugPrivilege 4052 788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

description	pid	process
Token: SeDebugPrivilege	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
"C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VkxqbQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp272.tmp"
2⤵
- Creates scheduled task(s)
PID:3176

C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
"C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
2⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
"C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
2⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
"C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
2⤵
PID:2876

C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
"C:\Users\Admin\AppData\Local\Temp\788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe"
2⤵
PID:3712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp272.tmp
MD5
7a580571fd7e32ecea498889f704c40b

SHA1
004658ed54898f2b803ffaa519477792b070e799

SHA256
0333b734786f4ae83e81f75ae21e4ab8a6b243fedd3c6b353f265ab82418caf0

SHA512
99d14331eaa00f61671a1fd564a6cf238e25076d1829e0db3dada28547ff3a086ae99202680c2410f68fbc40ee63cf24c0eb9c724763b668781c511e80145c71

Download Submit
memory/3176-13-0x0000000000000000-mapping.dmp

Download
memory/3712-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3712-16-0x000000000041A684-mapping.dmp

Download
memory/3712-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4052-9-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/4052-2-0x0000000073820000-0x0000000073F0E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-10-0x00000000049B0000-0x00000000049C2000-memory.dmp

Filesize
72KB

Download
memory/4052-11-0x0000000005710000-0x0000000005764000-memory.dmp

Filesize
336KB

Download
memory/4052-12-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/4052-8-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4052-7-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4052-6-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4052-5-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/4052-3-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 4052 wrote to memory of 3176	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	schtasks.exe
PID 4052 wrote to memory of 3176	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	schtasks.exe
PID 4052 wrote to memory of 3176	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	schtasks.exe
PID 4052 wrote to memory of 3972	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3972	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3972	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 2068	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 2068	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 2068	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 2876	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 2876	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 2876	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe
PID 4052 wrote to memory of 3712	4052	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe	788fae56b0ee2bd0adf59261a5eb1e8c61e3bc7352e3f0c5621f770fdacbe9c0.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads