azorult | a86a46b09a2e8d7a353c868327c2a0300f0a71bc76654f6b5ae95bb0676ee73c

Analysis

max time kernel
63s
max time network
67s
platform
windows10_x64
resource
win10v20201028
submitted
05-03-2021 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Snap.Grabber.2.5.crack.by.aaocg.exe
Size

8.6MB
MD5

4c5d5630a17759bff9cb25a75a6de902
SHA1

7e30a081298ef34a5f7db00607f10c72464e4c96
SHA256

45411d2b5bf4e2d0e75af577252aba0a84ccc51e7b05e9b67a54390bb7aab8d8
SHA512

09d2a7fa28f88dd5c622b99318a7d68b1c3f9f6fa3edbe589cb067478dba73e790346b967599dde0745e8afeded0096c99d796206f691c34c903c97a01db80f3

Score

10^/10

azorult discovery infostealer spyware trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 8 IoCs

pid	Process
4056	keygen-pr.exe
4000	keygen-step-1.exe
4048	keygen-step-3.exe
3864	keygen-step-4.exe
688	key.exe
1060	file.exe
2284	1B2A.tmp.exe
1524	1B2A.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2284 set thread context of 1524	2284	1B2A.tmp.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1B2A.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1B2A.tmp.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3528	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1524	1B2A.tmp.exe
1524	1B2A.tmp.exe
1060	file.exe
1060	file.exe
1060	file.exe
1060	file.exe
1060	file.exe
1060	file.exe
1060	file.exe
1060	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	file.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 304	636	Snap.Grabber.2.5.crack.by.aaocg.exe	78
PID 636 wrote to memory of 304	636	Snap.Grabber.2.5.crack.by.aaocg.exe	78
PID 636 wrote to memory of 304	636	Snap.Grabber.2.5.crack.by.aaocg.exe	78
PID 304 wrote to memory of 4056	304	cmd.exe	81
PID 304 wrote to memory of 4056	304	cmd.exe	81
PID 304 wrote to memory of 4056	304	cmd.exe	81
PID 304 wrote to memory of 4000	304	cmd.exe	82
PID 304 wrote to memory of 4000	304	cmd.exe	82
PID 304 wrote to memory of 4000	304	cmd.exe	82
PID 304 wrote to memory of 4048	304	cmd.exe	83
PID 304 wrote to memory of 4048	304	cmd.exe	83
PID 304 wrote to memory of 4048	304	cmd.exe	83
PID 304 wrote to memory of 3864	304	cmd.exe	84
PID 304 wrote to memory of 3864	304	cmd.exe	84
PID 304 wrote to memory of 3864	304	cmd.exe	84
PID 4056 wrote to memory of 688	4056	keygen-pr.exe	85
PID 4056 wrote to memory of 688	4056	keygen-pr.exe	85
PID 4056 wrote to memory of 688	4056	keygen-pr.exe	85
PID 3864 wrote to memory of 1060	3864	keygen-step-4.exe	86
PID 3864 wrote to memory of 1060	3864	keygen-step-4.exe	86
PID 3864 wrote to memory of 1060	3864	keygen-step-4.exe	86
PID 4048 wrote to memory of 3344	4048	keygen-step-3.exe	87
PID 4048 wrote to memory of 3344	4048	keygen-step-3.exe	87
PID 4048 wrote to memory of 3344	4048	keygen-step-3.exe	87
PID 3344 wrote to memory of 3528	3344	cmd.exe	89
PID 3344 wrote to memory of 3528	3344	cmd.exe	89
PID 3344 wrote to memory of 3528	3344	cmd.exe	89
PID 688 wrote to memory of 2944	688	key.exe	90
PID 688 wrote to memory of 2944	688	key.exe	90
PID 688 wrote to memory of 2944	688	key.exe	90
PID 1060 wrote to memory of 2284	1060	file.exe	91
PID 1060 wrote to memory of 2284	1060	file.exe	91
PID 1060 wrote to memory of 2284	1060	file.exe	91
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92
PID 2284 wrote to memory of 1524	2284	1B2A.tmp.exe	92

C:\Users\Admin\AppData\Local\Temp\Snap.Grabber.2.5.crack.by.aaocg.exe
"C:\Users\Admin\AppData\Local\Temp\Snap.Grabber.2.5.crack.by.aaocg.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:688
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2944
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3344
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3528
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Users\Admin\AppData\Roaming\1B2A.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\1B2A.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Users\Admin\AppData\Roaming\1B2A.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\1B2A.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-27-0x00000000028C0000-0x0000000002A5C000-memory.dmp

Filesize
1.6MB

Download
memory/1060-28-0x0000000001340000-0x000000000134D000-memory.dmp

Filesize
52KB

Download
memory/1060-44-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1524-46-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1524-41-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2284-40-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/2284-45-0x0000000003030000-0x0000000003075000-memory.dmp

Filesize
276KB

Download