azorult | 2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c

General

Target

IMG_767893434432.scr
Size

360KB
MD5

641e970f32447644bd26570d3be688a1
SHA1

fb4aac120c7d4543326e06f1438a570a62524b86
SHA256

2084b62c05ac13dfa48fde86f237473d35f3f169c030b829ceb49f3005b6451c
SHA512

6b89cb2faa64a2345a61792c5ac577b73aa11d9072185ab2f31a2b61a5c1d68784cf85d5702941ba5ef9c5bd8f82cb53113906a4e437cb7648e307d043904bbe

Score

10^/10

azorult discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

https://sterline.lt/lokk/32/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

pid process

340 AdvancedRun.exe
3660 AdvancedRun.exe
2320 AdvancedRun.exe
3200 AdvancedRun.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG_767893434432.scr

description pid process target process

PID 504 set thread context of 3808 504 IMG_767893434432.scr IMG_767893434432.scr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 504 set thread context of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IMG_767893434432.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	IMG_767893434432.scr
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	IMG_767893434432.scr

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

IMG_767893434432.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	IMG_767893434432.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	IMG_767893434432.scr

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeIMG_767893434432.scrIMG_767893434432.scr

pid	process
340	AdvancedRun.exe
340	AdvancedRun.exe
340	AdvancedRun.exe
340	AdvancedRun.exe
3660	AdvancedRun.exe
3660	AdvancedRun.exe
3660	AdvancedRun.exe
3660	AdvancedRun.exe
2320	AdvancedRun.exe
2320	AdvancedRun.exe
2320	AdvancedRun.exe
2320	AdvancedRun.exe
3200	AdvancedRun.exe
3200	AdvancedRun.exe
3200	AdvancedRun.exe
3200	AdvancedRun.exe
504	IMG_767893434432.scr
504	IMG_767893434432.scr
504	IMG_767893434432.scr
504	IMG_767893434432.scr
504	IMG_767893434432.scr
504	IMG_767893434432.scr
3808	IMG_767893434432.scr
3808	IMG_767893434432.scr

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

IMG_767893434432.scrAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	504	IMG_767893434432.scr
Token: SeDebugPrivilege	340	AdvancedRun.exe
Token: SeImpersonatePrivilege	340	AdvancedRun.exe
Token: SeDebugPrivilege	3660	AdvancedRun.exe
Token: SeImpersonatePrivilege	3660	AdvancedRun.exe
Token: SeDebugPrivilege	2320	AdvancedRun.exe
Token: SeImpersonatePrivilege	2320	AdvancedRun.exe
Token: SeDebugPrivilege	3200	AdvancedRun.exe
Token: SeImpersonatePrivilege	3200	AdvancedRun.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

IMG_767893434432.scrAdvancedRun.exeAdvancedRun.exe

description	pid	process	target process
PID 504 wrote to memory of 340	504	IMG_767893434432.scr	AdvancedRun.exe
PID 504 wrote to memory of 340	504	IMG_767893434432.scr	AdvancedRun.exe
PID 504 wrote to memory of 340	504	IMG_767893434432.scr	AdvancedRun.exe
PID 340 wrote to memory of 3660	340	AdvancedRun.exe	AdvancedRun.exe
PID 340 wrote to memory of 3660	340	AdvancedRun.exe	AdvancedRun.exe
PID 340 wrote to memory of 3660	340	AdvancedRun.exe	AdvancedRun.exe
PID 504 wrote to memory of 2320	504	IMG_767893434432.scr	AdvancedRun.exe
PID 504 wrote to memory of 2320	504	IMG_767893434432.scr	AdvancedRun.exe
PID 504 wrote to memory of 2320	504	IMG_767893434432.scr	AdvancedRun.exe
PID 2320 wrote to memory of 3200	2320	AdvancedRun.exe	AdvancedRun.exe
PID 2320 wrote to memory of 3200	2320	AdvancedRun.exe	AdvancedRun.exe
PID 2320 wrote to memory of 3200	2320	AdvancedRun.exe	AdvancedRun.exe
PID 504 wrote to memory of 2072	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 2072	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 2072	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr
PID 504 wrote to memory of 3808	504	IMG_767893434432.scr	IMG_767893434432.scr

C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
"C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:504

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 340
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2320
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
2⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
C:\Users\Admin\AppData\Local\Temp\IMG_767893434432.scr
2⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/340-20-0x0000000000000000-mapping.dmp

Download
memory/504-7-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/504-8-0x00000000015D0000-0x00000000015D1000-memory.dmp

Filesize
4KB

Download
memory/504-9-0x0000000008560000-0x0000000008562000-memory.dmp

Filesize
8KB

Download
memory/504-10-0x0000000008580000-0x00000000085D3000-memory.dmp

Filesize
332KB

Download
memory/504-19-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/504-6-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/504-5-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/504-3-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/504-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-25-0x0000000000000000-mapping.dmp

Download
memory/3200-27-0x0000000000000000-mapping.dmp

Download
memory/3660-23-0x0000000000000000-mapping.dmp

Download
memory/3808-29-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3808-30-0x000000000041A1F8-mapping.dmp

Download
memory/3808-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads