azorult | 2d25d136b12c900209489988b87ec94520c0734f4f31d4497fa47dfefc551bb4

General

Target

EF9CD60A0EAFF97739F93B74525150DA.exe
Size

112KB
MD5

ef9cd60a0eaff97739f93b74525150da
SHA1

8669815a5c44a34628b525a805b3523d067fe200
SHA256

2d25d136b12c900209489988b87ec94520c0734f4f31d4497fa47dfefc551bb4
SHA512

1aa3d37ddf8dff3688497b2b04bc94055f0292830066e774dfda11c9f32b904096fbd8e55c0c30ea33008d6a52d1c18a3bdba537581e7d9d7783e8179da5b9e8

Score

10^/10

azorult echelon discovery infostealer spyware stealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Executes dropped EXE 1 IoCs

Processes:

Price.exe

pid process

2740 Price.exe

pid	process
2740	Price.exe

Loads dropped DLL 4 IoCs

Processes:

EF9CD60A0EAFF97739F93B74525150DA.exe

pid	process
1052	EF9CD60A0EAFF97739F93B74525150DA.exe
1052	EF9CD60A0EAFF97739F93B74525150DA.exe
1052	EF9CD60A0EAFF97739F93B74525150DA.exe
1052	EF9CD60A0EAFF97739F93B74525150DA.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
21 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1672 2740 WerFault.exe Price.exe

flow	ioc
16	api.ipify.org
17	api.ipify.org
21	ip-api.com

pid	pid_target	process	target process
1672	2740	WerFault.exe	Price.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EF9CD60A0EAFF97739F93B74525150DA.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EF9CD60A0EAFF97739F93B74525150DA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EF9CD60A0EAFF97739F93B74525150DA.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3628 timeout.exe

pid	process
3628	timeout.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

EF9CD60A0EAFF97739F93B74525150DA.exePrice.exeWerFault.exe

pid	process
1052	EF9CD60A0EAFF97739F93B74525150DA.exe
1052	EF9CD60A0EAFF97739F93B74525150DA.exe
2740	Price.exe
2740	Price.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Price.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 2740 Price.exe
Token: SeDebugPrivilege 1672 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	2740	Price.exe
Token: SeDebugPrivilege	1672	WerFault.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

EF9CD60A0EAFF97739F93B74525150DA.execmd.exe

description	pid	process	target process
PID 1052 wrote to memory of 2740	1052	EF9CD60A0EAFF97739F93B74525150DA.exe	Price.exe
PID 1052 wrote to memory of 2740	1052	EF9CD60A0EAFF97739F93B74525150DA.exe	Price.exe
PID 1052 wrote to memory of 1528	1052	EF9CD60A0EAFF97739F93B74525150DA.exe	cmd.exe
PID 1052 wrote to memory of 1528	1052	EF9CD60A0EAFF97739F93B74525150DA.exe	cmd.exe
PID 1052 wrote to memory of 1528	1052	EF9CD60A0EAFF97739F93B74525150DA.exe	cmd.exe
PID 1528 wrote to memory of 3628	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 3628	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 3628	1528	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\EF9CD60A0EAFF97739F93B74525150DA.exe
"C:\Users\Admin\AppData\Local\Temp\EF9CD60A0EAFF97739F93B74525150DA.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\Price.exe
  "C:\Users\Admin\AppData\Local\Temp\Price.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2740 -s 2780
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "EF9CD60A0EAFF97739F93B74525150DA.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\timeout.exe
    C:\Windows\system32\timeout.exe 3
    3⤵
    - Delays execution with timeout.exe
    PID:3628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

5

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

5

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Price.exe

MD5
a3f0757188bc349e171b4c063dd1ad49

SHA1
999579d9a79bfbba128c33970879b71a35f0ff78

SHA256
de0c813c379846202be0847b1acc52df12913c6278be16a21d502f66bc2c00ff

SHA512
85d6b072ed974196a293303b8940926071bf8ea237600819a8e223d5ba38c432c5188e9ebe206f391f46a91470bb4143bd5a66bc37c201dfc7f498efd1aa086a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Price.exe

MD5
a3f0757188bc349e171b4c063dd1ad49

SHA1
999579d9a79bfbba128c33970879b71a35f0ff78

SHA256
de0c813c379846202be0847b1acc52df12913c6278be16a21d502f66bc2c00ff

SHA512
85d6b072ed974196a293303b8940926071bf8ea237600819a8e223d5ba38c432c5188e9ebe206f391f46a91470bb4143bd5a66bc37c201dfc7f498efd1aa086a

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\mozglue.dll

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\msvcp140.dll

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\nss3.dll

MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\4210A729\vcruntime140.dll

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
memory/1528-12-0x0000000000000000-mapping.dmp

Download
memory/1672-16-0x000001A244720000-0x000001A244721000-memory.dmp

Filesize
4KB

Download
memory/2740-6-0x0000000000000000-mapping.dmp

Download
memory/2740-9-0x00007FFEA3E10000-0x00007FFEA47FC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-10-0x0000020258B20000-0x0000020258B21000-memory.dmp

Filesize
4KB

Download
memory/2740-14-0x0000020273110000-0x0000020273112000-memory.dmp

Filesize
8KB

Download
memory/2740-15-0x0000020274030000-0x00000202740A0000-memory.dmp

Filesize
448KB

Download
memory/3628-13-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads