azorult | f95d12a0dbd8199d16f48d8e4cbe69a8d4ec16c534efb36e52a662664e1c1783

Target

[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Size

9.2MB
MD5

b806267b5f3b7760df56396b1cf05e6d
SHA1

5166d4c1d3e476281d9e991eababc3e4aa9ec5ad
SHA256

f95d12a0dbd8199d16f48d8e4cbe69a8d4ec16c534efb36e52a662664e1c1783
SHA512

30e393bb3898edc8ab5fb04e62ce421ddf3903075f59e3880408b300f46bb74a85088336d6e1203b2101152cebeef4c1730290b41ca77604ecb722c8f627328b

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 5 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exe

pid process

1180 keygen-pr.exe
324 keygen-step-1.exe
524 keygen-step-3.exe
472 keygen-step-4.exe
1796 key.exe
Loads dropped DLL 10 IoCs

Processes:

cmd.exekeygen-pr.exekey.exe

pid process

1608 cmd.exe
1608 cmd.exe
1608 cmd.exe
1608 cmd.exe
1608 cmd.exe
1180 keygen-pr.exe
1180 keygen-pr.exe
1180 keygen-pr.exe
1180 keygen-pr.exe
1796 key.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1428 PING.EXE

pid	process
1180	keygen-pr.exe
324	keygen-step-1.exe
524	keygen-step-3.exe
472	keygen-step-4.exe
1796	key.exe

pid	process
1608	cmd.exe
1608	cmd.exe
1608	cmd.exe
1608	cmd.exe
1608	cmd.exe
1180	keygen-pr.exe
1180	keygen-pr.exe
1180	keygen-pr.exe
1180	keygen-pr.exe
1796	key.exe

pid	process
1428	PING.EXE

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.execmd.exekeygen-pr.exekey.exekeygen-step-3.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 1608	2004	[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe	cmd.exe
PID 2004 wrote to memory of 1608	2004	[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe	cmd.exe
PID 2004 wrote to memory of 1608	2004	[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe	cmd.exe
PID 2004 wrote to memory of 1608	2004	[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe	cmd.exe
PID 1608 wrote to memory of 1180	1608	cmd.exe	keygen-pr.exe
PID 1608 wrote to memory of 1180	1608	cmd.exe	keygen-pr.exe
PID 1608 wrote to memory of 1180	1608	cmd.exe	keygen-pr.exe
PID 1608 wrote to memory of 1180	1608	cmd.exe	keygen-pr.exe
PID 1608 wrote to memory of 1180	1608	cmd.exe	keygen-pr.exe
PID 1608 wrote to memory of 1180	1608	cmd.exe	keygen-pr.exe
PID 1608 wrote to memory of 1180	1608	cmd.exe	keygen-pr.exe
PID 1608 wrote to memory of 324	1608	cmd.exe	keygen-step-1.exe
PID 1608 wrote to memory of 324	1608	cmd.exe	keygen-step-1.exe
PID 1608 wrote to memory of 324	1608	cmd.exe	keygen-step-1.exe
PID 1608 wrote to memory of 324	1608	cmd.exe	keygen-step-1.exe
PID 1608 wrote to memory of 524	1608	cmd.exe	keygen-step-3.exe
PID 1608 wrote to memory of 524	1608	cmd.exe	keygen-step-3.exe
PID 1608 wrote to memory of 524	1608	cmd.exe	keygen-step-3.exe
PID 1608 wrote to memory of 524	1608	cmd.exe	keygen-step-3.exe
PID 1608 wrote to memory of 472	1608	cmd.exe	keygen-step-4.exe
PID 1608 wrote to memory of 472	1608	cmd.exe	keygen-step-4.exe
PID 1608 wrote to memory of 472	1608	cmd.exe	keygen-step-4.exe
PID 1608 wrote to memory of 472	1608	cmd.exe	keygen-step-4.exe
PID 1180 wrote to memory of 1796	1180	keygen-pr.exe	key.exe
PID 1180 wrote to memory of 1796	1180	keygen-pr.exe	key.exe
PID 1180 wrote to memory of 1796	1180	keygen-pr.exe	key.exe
PID 1180 wrote to memory of 1796	1180	keygen-pr.exe	key.exe
PID 1180 wrote to memory of 1796	1180	keygen-pr.exe	key.exe
PID 1180 wrote to memory of 1796	1180	keygen-pr.exe	key.exe
PID 1180 wrote to memory of 1796	1180	keygen-pr.exe	key.exe
PID 1796 wrote to memory of 948	1796	key.exe	key.exe
PID 1796 wrote to memory of 948	1796	key.exe	key.exe
PID 1796 wrote to memory of 948	1796	key.exe	key.exe
PID 1796 wrote to memory of 948	1796	key.exe	key.exe
PID 1796 wrote to memory of 948	1796	key.exe	key.exe
PID 1796 wrote to memory of 948	1796	key.exe	key.exe
PID 1796 wrote to memory of 948	1796	key.exe	key.exe
PID 524 wrote to memory of 616	524	keygen-step-3.exe	cmd.exe
PID 524 wrote to memory of 616	524	keygen-step-3.exe	cmd.exe
PID 524 wrote to memory of 616	524	keygen-step-3.exe	cmd.exe
PID 524 wrote to memory of 616	524	keygen-step-3.exe	cmd.exe
PID 616 wrote to memory of 1428	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1428	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1428	616	cmd.exe	PING.EXE
PID 616 wrote to memory of 1428	616	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
"C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:324

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:472

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
1⤵
- Runs ping.exe
PID:1428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
84291ae7fb0b96b7a251f4713776d26a

SHA1
79306721714fe88e5ce1905c2488965051d0668e

SHA256
859c80bd87795914b9b95a5b93c5a5c9a67ac2ffc4588f5ccc045fbb2d146d25

SHA512
694d55693afed8e83d65576089fd90db4b98656514d4ad890fd775915a8d7f540db4d79c7a70d697ecba030f1e9ef105d775ab6345d1a1582138365c6434024c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
84291ae7fb0b96b7a251f4713776d26a

SHA1
79306721714fe88e5ce1905c2488965051d0668e

SHA256
859c80bd87795914b9b95a5b93c5a5c9a67ac2ffc4588f5ccc045fbb2d146d25

SHA512
694d55693afed8e83d65576089fd90db4b98656514d4ad890fd775915a8d7f540db4d79c7a70d697ecba030f1e9ef105d775ab6345d1a1582138365c6434024c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
9b1372abe17a439bfcca639334246f98

SHA1
2bb99dca239e3e74f0c5d73d8092437a77c384d5

SHA256
b038b6a3e4cbb588a099ff589e135965b7641b004727ba268865c0e310ca4d05

SHA512
e5ec133fdca82e40525daf8a69c3be1dc5b0cda772902a52a5ff74b0e462543f0c2d41d30ad9c5ed737a6b8d6c7fc4f4d2487995262e09946c1945b9fa70251b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
9b1372abe17a439bfcca639334246f98

SHA1
2bb99dca239e3e74f0c5d73d8092437a77c384d5

SHA256
b038b6a3e4cbb588a099ff589e135965b7641b004727ba268865c0e310ca4d05

SHA512
e5ec133fdca82e40525daf8a69c3be1dc5b0cda772902a52a5ff74b0e462543f0c2d41d30ad9c5ed737a6b8d6c7fc4f4d2487995262e09946c1945b9fa70251b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
MD5
f2632c204f883c59805093720dfe5a78

SHA1
c96e3aa03805a84fec3ea4208104a25a2a9d037e

SHA256
f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

SHA512
5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
MD5
84291ae7fb0b96b7a251f4713776d26a

SHA1
79306721714fe88e5ce1905c2488965051d0668e

SHA256
859c80bd87795914b9b95a5b93c5a5c9a67ac2ffc4588f5ccc045fbb2d146d25

SHA512
694d55693afed8e83d65576089fd90db4b98656514d4ad890fd775915a8d7f540db4d79c7a70d697ecba030f1e9ef105d775ab6345d1a1582138365c6434024c

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
MD5
9b1372abe17a439bfcca639334246f98

SHA1
2bb99dca239e3e74f0c5d73d8092437a77c384d5

SHA256
b038b6a3e4cbb588a099ff589e135965b7641b004727ba268865c0e310ca4d05

SHA512
e5ec133fdca82e40525daf8a69c3be1dc5b0cda772902a52a5ff74b0e462543f0c2d41d30ad9c5ed737a6b8d6c7fc4f4d2487995262e09946c1945b9fa70251b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
memory/324-12-0x0000000000000000-mapping.dmp

Download
memory/472-22-0x0000000000000000-mapping.dmp

Download
memory/472-25-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/524-17-0x0000000000000000-mapping.dmp

Download
memory/616-39-0x0000000000000000-mapping.dmp

Download
memory/784-38-0x000007FEF5D50000-0x000007FEF5FCA000-memory.dmp

Filesize
2.5MB

Download
memory/1180-7-0x0000000000000000-mapping.dmp

Download
memory/1428-40-0x0000000000000000-mapping.dmp

Download
memory/1608-3-0x0000000000000000-mapping.dmp

Download
memory/1796-41-0x00000000022A0000-0x000000000243C000-memory.dmp

Filesize
1.6MB

Download
memory/1796-31-0x0000000000000000-mapping.dmp

Download
memory/2004-2-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download