azorult | 8f4d9fec8d65f36cc3379135373703612b13d644c2e92ef15e4100d77bef4f4d

Analysis

max time kernel
59s
max time network
62s
platform
windows10_x64
resource
win10v20201028
submitted
04-03-2021 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Autodesk_AutoCAD_keygen_by_KeygenNinja.exe
Size

8.6MB
MD5

26fb5cbb439c37c7437c43951b56a9e8
SHA1

ffe7d540afd6410bd69e502d47252930a1411f73
SHA256

ced746e74fedf490bf79b1c68c9e15290c33f42df5fd2281a13708fae54c8ea7
SHA512

f0a24019707d4ec9e8477037d2d2f83c511a0e4dc9aa0a0c7a4f97b4a8ab1ac1a5618145fc628068c326856cc0cf9e3c697489cdd4b0d92a369ebd54b5391a78

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 3 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-3.exe

pid	Process
3552	keygen-pr.exe
3744	keygen-step-1.exe
3452	keygen-step-3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Autodesk_AutoCAD_keygen_by_KeygenNinja.execmd.exe

description	pid	Process	procid_target
PID 3584 wrote to memory of 2724	3584	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	78
PID 3584 wrote to memory of 2724	3584	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	78
PID 3584 wrote to memory of 2724	3584	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	78
PID 2724 wrote to memory of 3552	2724	cmd.exe	81
PID 2724 wrote to memory of 3552	2724	cmd.exe	81
PID 2724 wrote to memory of 3552	2724	cmd.exe	81
PID 2724 wrote to memory of 3744	2724	cmd.exe	82
PID 2724 wrote to memory of 3744	2724	cmd.exe	82
PID 2724 wrote to memory of 3744	2724	cmd.exe	82
PID 2724 wrote to memory of 3452	2724	cmd.exe	83
PID 2724 wrote to memory of 3452	2724	cmd.exe	83
PID 2724 wrote to memory of 3452	2724	cmd.exe	83
PID 2724 wrote to memory of 3892	2724	cmd.exe	84
PID 2724 wrote to memory of 3892	2724	cmd.exe	84
PID 2724 wrote to memory of 3892	2724	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      PID:2908
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:3744
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:3452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      PID:3576
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      PID:3104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

MD5
89f7ad256df563480c5a021e7a773607

SHA1
789d561a08cecaddc6fcec14a4636194be4117e3

SHA256
1e145075f05309453196d719cf7951170398c649aa6a8369329ce175764238dc

SHA512
af8bfadd27f1310b272a241ec6a43489440b5da67f4b87f2e7c644c609e8287309a47496292a03a3b4b35157617c6b2acf9e3b6ca099b4ffc48b0fabca42c881

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

MD5
edbe1e8bb2816c5592060ca85b4ec058

SHA1
247b82037562a2d2104346733bec6d076f0feb72

SHA256
742d0d80fc5bdde61383510dc2d3a8c2a7a707099a115b1f9d8ebc5cab1f3fa2

SHA512
b5627a48905eae2ee25ca1557aa98ee3714c585169e8535ae5c7d04c7a44d38dcb432ce4d4c05bb76306d1190e0c018d64a86edd7118e6464327261e81c7f634

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

MD5
9aaafaed80038c9dcb3bb6a532e9d071

SHA1
4657521b9a50137db7b1e2e84193363a2ddbd74f

SHA256
e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5

SHA512
9d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

MD5
7b24b13d41ba8fda6ce9ba58474c95c0

SHA1
291bb7b06c8fd6573f87f0b85ea20e69dbf1ba92

SHA256
0af3a76d856ba48002a9d6044b87c6b4bc449a5fc08d8445c9dd107b5fcddaed

SHA512
0ebd42d34ef2aaf53ec48afcf0bdc73fe7141a61467115d69a43b602076d5d6e916f5c0f49ae23aa532552c2ab5f4d26252909ba67ecf86bc50f8a15a7deeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

MD5
19ff69e9001ea949f0da1785207e532d

SHA1
c80a2e6b5ef2b87a89ff9d9e3a9f1823c2a53c5d

SHA256
9e7b1db4d9dd97d2ef477017292e418120a23c5b5e3e74afea8f6784b2574bd0

SHA512
c8380347c8d98ab4c82d64f8fe5bd044ec220572675ecaf58283088c8a330c2e642f940899a69d2dd2322c91e13c3ba561f48056ad52c783c7c4130565bc03f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

MD5
f2632c204f883c59805093720dfe5a78

SHA1
c96e3aa03805a84fec3ea4208104a25a2a9d037e

SHA256
f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

SHA512
5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

MD5
322366362aa532270033473dea5ab2c7

SHA1
a2239f5e01f88cde0804ef59f94314b99b2334bb

SHA256
b850f0eefac2039bc1de386e754448db4351ffc044180766d638bb8fa1aac016

SHA512
11d6d6848ecb09a57de871db9dd9c95d460eeb38e13975e8061d8d38be3f3d431392ea9ae804307a550739d97f30913200907da74efc3ff11775d27944faf149

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe

MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe

MD5
00b13d9e31b23b433b93896d0aad534f

SHA1
7cc83b3eded78ceec5b3c53c3258537f68d2fead

SHA256
30201b0980fb3d6e47488b074087d73e96cc0b4ded0545e236259152fa9d2e3d

SHA512
7243e9ae5dc4b9e261191dbde7ce413f99802c32b22ae26e030b7cbff5968617f52e3a0d2ab0c7ef8834f8378edcddc4a9da586e0783f34e26cd08b0bf1b626b

Download Submit
memory/2724-4-0x0000000000000000-mapping.dmp

Download
memory/2908-18-0x0000000000000000-mapping.dmp

Download
memory/3104-22-0x0000000000000000-mapping.dmp

Download
memory/3452-12-0x0000000000000000-mapping.dmp

Download
memory/3552-6-0x0000000000000000-mapping.dmp

Download
memory/3576-25-0x0000000000000000-mapping.dmp

Download
memory/3744-8-0x0000000000000000-mapping.dmp

Download
memory/3892-15-0x0000000000000000-mapping.dmp

Download