azorult | 927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40

General

Target

927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe
Size

1.4MB
MD5

fa74845f2f8dfe23104fc2d762ff1cf3
SHA1

d402a70bc46d674be59091f9ef5822e19b730668
SHA256

927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40
SHA512

148adda151b8d07ebed7144db5799353892bc226c8dc01aa2c7c61fac34a2413e7f978f3303eff9baceba11f33ec71a4c8f6120da47c76da4fecd815deb8abb8

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://45.137.22.102/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe

description	pid	process	target process
PID 3084 set thread context of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4000 schtasks.exe

pid	process
4000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe

pid	process
3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe
3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe
3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe

description pid process

Token: SeDebugPrivilege 3084 927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe

description	pid	process
Token: SeDebugPrivilege	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe

description	pid	process	target process
PID 3084 wrote to memory of 4000	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	schtasks.exe
PID 3084 wrote to memory of 4000	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	schtasks.exe
PID 3084 wrote to memory of 4000	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	schtasks.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe
PID 3084 wrote to memory of 1124	3084	927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe
"C:\Users\Admin\AppData\Local\Temp\927a71433b9a6319596f77cd464971f343b5cdb6adb8b8ecce9f209ea7314f40.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\trvgrRVrbwOtQv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD19E.tmp"
2⤵
- Creates scheduled task(s)
PID:4000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD19E.tmp
MD5
e21a1c150bff97e29164eb44fd4d2842

SHA1
a2d307446920033b97767b089ae2dc72c4dd6fee

SHA256
2468cf85da8c1e4186e59d8a3a0ae2c9e6d56b4030a5068c880501d517745426

SHA512
ae00550426b16dd687a01557bf28338a14e64be905b215e0cad12cd5f244ac154da0e391e47f2d890385bc0a2070b49f2203b13de149eaae7e3b36fc13398544

Download Submit
memory/1124-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1124-16-0x000000000041A1F8-mapping.dmp

Download
memory/1124-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3084-9-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/3084-8-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/3084-2-0x0000000073940000-0x000000007402E000-memory.dmp

Filesize
6.9MB

Download
memory/3084-10-0x0000000005DD0000-0x0000000005DDE000-memory.dmp

Filesize
56KB

Download
memory/3084-11-0x00000000067A0000-0x00000000067EA000-memory.dmp

Filesize
296KB

Download
memory/3084-12-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/3084-7-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/3084-6-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/3084-5-0x00000000057C0000-0x0000000005829000-memory.dmp

Filesize
420KB

Download
memory/3084-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4000-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads