azorult

General

Target

Radmin_3_serial_keys_gen.exe
Size

5.3MB
Sample

210411-7gx7nkamze
MD5

68bc117c90efa984da82ad574d1bcf56
SHA1

3f219afa3c89fdeb2ca42ba882e4165e732312c7
SHA256

b5e93fa1f6979e036749bd25b70e31c4b14632e01b884623e887e7fc53eedbcc
SHA512

a00dfd976cccd4168de95041791a97df3af214a4bc98244c2d1f4329f0c9719f081a3cb0e3b2ffa8da5292822e296e1a1279c392593c8410cdb9eaa8b92bad57

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

- Target
  
  Radmin_3_serial_keys_gen.exe
- Size
  
  5.3MB
- MD5
  
  68bc117c90efa984da82ad574d1bcf56
- SHA1
  
  3f219afa3c89fdeb2ca42ba882e4165e732312c7
- SHA256
  
  b5e93fa1f6979e036749bd25b70e31c4b14632e01b884623e887e7fc53eedbcc
- SHA512
  
  a00dfd976cccd4168de95041791a97df3af214a4bc98244c2d1f4329f0c9719f081a3cb0e3b2ffa8da5292822e296e1a1279c392593c8410cdb9eaa8b92bad57
Score

10^/10

azorult discovery evasion infostealer persistence spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2