azorult | 7d616629dceb30f4c3f4dec759fc0e802371115a1e8cd289aa731555df6be3ae

General

Target

New Order.exe
Size

964KB
MD5

03f50d159989c51c9d1a53aa4ab329e3
SHA1

d5564e5676412a6cfc7e6403201baeafafec72a2
SHA256

7d616629dceb30f4c3f4dec759fc0e802371115a1e8cd289aa731555df6be3ae
SHA512

66347700e3b597b3c01b6bd85700d86bbb2128adc6d20f63aab0525623803543049024591d4177208cffde88ae0dff77880cec31864954da42b07acca7f7f081

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://45.137.22.102/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order.exe

description pid process target process

PID 1856 set thread context of 616 1856 New Order.exe RegSvcs.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

672 schtasks.exe

description	pid	process	target process
PID 1856 set thread context of 616	1856	New Order.exe	RegSvcs.exe

pid	process
672	schtasks.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 1856 wrote to memory of 672	1856	New Order.exe	schtasks.exe
PID 1856 wrote to memory of 672	1856	New Order.exe	schtasks.exe
PID 1856 wrote to memory of 672	1856	New Order.exe	schtasks.exe
PID 1856 wrote to memory of 672	1856	New Order.exe	schtasks.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe
PID 1856 wrote to memory of 616	1856	New Order.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FbzLqkUY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28B6.tmp"
2⤵
- Creates scheduled task(s)
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp28B6.tmp
MD5
460d8895ee56f4e1841331750381ac1e

SHA1
2c083b7f12df0325306cbf75e93f8a8aad134f0f

SHA256
b0ecdbfac00648947a8f4b1bc231e56eca5a858ef6b1a5018fdb8da7ff1d48dc

SHA512
9d43ce3bb86aed4d22527230348d49f15894ffa29771df496c8f145b8e3c9fb8435ad1342b38b9f5e827c1d247abebd94535cd283570e7f32f04bad64b51101b

Download Submit
memory/616-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/616-11-0x000000000041A1F8-mapping.dmp

Download
memory/616-12-0x00000000767E1000-0x00000000767E3000-memory.dmp

Filesize
8KB

Download
memory/616-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/672-8-0x0000000000000000-mapping.dmp

Download
memory/1624-13-0x000007FEF67C0000-0x000007FEF6A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1856-2-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-3-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download
memory/1856-5-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1856-6-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/1856-7-0x00000000007E0000-0x000000000081B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads