azorult | da889f40e6ee1f71dbc8282fa19dbeee68f5028384af7f96f620bd4f23d2de42

General

Target

HalkbankEkstre0414217826353988773.exe
Size

153KB
MD5

3455f87da5d2a50c79506161412ca0a3
SHA1

c6234860a5b7a187c245e96638a4919bbef6966d
SHA256

da889f40e6ee1f71dbc8282fa19dbeee68f5028384af7f96f620bd4f23d2de42
SHA512

5b762e7f31e12654d3688ce81059436d90d29e906cb3b0319d7a14c5914bb7be6f8b723f8d51fecacc0558981694e313e34dea4ebfb1d025be58e613003b29a8

Score

10^/10

azorult infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://cupazo.co.in/TyBmo/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Loads dropped DLL 6 IoCs

Processes:

HalkbankEkstre0414217826353988773.exeHalkbankEkstre0414217826353988773.exeMSBuild.exe

pid	process
852	HalkbankEkstre0414217826353988773.exe
200	HalkbankEkstre0414217826353988773.exe
2936	MSBuild.exe
2936	MSBuild.exe
2936	MSBuild.exe
2936	MSBuild.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

HalkbankEkstre0414217826353988773.exe

description pid process target process

PID 200 set thread context of 2936 200 HalkbankEkstre0414217826353988773.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 200 set thread context of 2936	200	HalkbankEkstre0414217826353988773.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSBuild.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

2936 MSBuild.exe
2936 MSBuild.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

HalkbankEkstre0414217826353988773.exeHalkbankEkstre0414217826353988773.exe

pid process

852 HalkbankEkstre0414217826353988773.exe
852 HalkbankEkstre0414217826353988773.exe
200 HalkbankEkstre0414217826353988773.exe

pid	process
2936	MSBuild.exe
2936	MSBuild.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

HalkbankEkstre0414217826353988773.exeHalkbankEkstre0414217826353988773.exe

description	pid	process	target process
PID 852 wrote to memory of 3528	852	HalkbankEkstre0414217826353988773.exe	MSBuild.exe
PID 852 wrote to memory of 3528	852	HalkbankEkstre0414217826353988773.exe	MSBuild.exe
PID 852 wrote to memory of 3528	852	HalkbankEkstre0414217826353988773.exe	MSBuild.exe
PID 852 wrote to memory of 200	852	HalkbankEkstre0414217826353988773.exe	HalkbankEkstre0414217826353988773.exe
PID 852 wrote to memory of 200	852	HalkbankEkstre0414217826353988773.exe	HalkbankEkstre0414217826353988773.exe
PID 852 wrote to memory of 200	852	HalkbankEkstre0414217826353988773.exe	HalkbankEkstre0414217826353988773.exe
PID 200 wrote to memory of 2936	200	HalkbankEkstre0414217826353988773.exe	MSBuild.exe
PID 200 wrote to memory of 2936	200	HalkbankEkstre0414217826353988773.exe	MSBuild.exe
PID 200 wrote to memory of 2936	200	HalkbankEkstre0414217826353988773.exe	MSBuild.exe
PID 200 wrote to memory of 2936	200	HalkbankEkstre0414217826353988773.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe
"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"
2⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe
"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\HalkbankEkstre0414217826353988773.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\521pekm1xt
MD5
f84bd86a197e08dcf95c733d9e650f34

SHA1
dfc6b54a5940ad4b162e2251b0a9aad74490ab61

SHA256
21b7b85dfea0a5284f5c8760a46750280f8956e498137b044a9d0eb688aed508

SHA512
83d7180f1c81932803e91a4dcce9e0e7b710be10ff818e3a03816facb26ab6bcd59cd3e5d95fd4cf0dfb43688588135916c42cb424950065e101f46e4d10a752

Download Submit
C:\Users\Admin\AppData\Local\Temp\9folrhk0ki2n
MD5
c1cbf6c77fbdc0db63906a7a69665c56

SHA1
61f70bef4fde742140949363094502ec77947924

SHA256
e70febeccfd2175ff431786a61aea7012fb0da5e7d53a3978749e507dba31e0a

SHA512
d8b791c269990a62ef3e4f521c03eb35e895e7bcdc9e7f525158495cd9d666a6a0e0ea6b980104e925b2ba446e8b68754709fe04ad3fb36b6058030b8751bc48

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\mozglue.dll
MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\nso9D21.tmp\2azzens5lweoq5l.dll
MD5
5344b0bbb3d4851985d30338a60ae6b0

SHA1
bb0b4f32eaa2aa5b3d5ef50675ec689a84a55795

SHA256
0cc326a1b49c7c0622394569dc5da9fd0ef59c4d9d84e3029117a1aee6b873b3

SHA512
bc429ab4eab424b28c7fdd1f737dcb3aabbbcffa5af1f3f9803ac6e79f1c5e5898066495ebdb90509d61fbc54b3a5afb7033ca93a6dc680008fb17cbfaee6bcc

Download Submit
\Users\Admin\AppData\Local\Temp\nss8E1D.tmp\2azzens5lweoq5l.dll
MD5
5344b0bbb3d4851985d30338a60ae6b0

SHA1
bb0b4f32eaa2aa5b3d5ef50675ec689a84a55795

SHA256
0cc326a1b49c7c0622394569dc5da9fd0ef59c4d9d84e3029117a1aee6b873b3

SHA512
bc429ab4eab424b28c7fdd1f737dcb3aabbbcffa5af1f3f9803ac6e79f1c5e5898066495ebdb90509d61fbc54b3a5afb7033ca93a6dc680008fb17cbfaee6bcc

Download Submit
memory/200-117-0x0000000000000000-mapping.dmp

Download
memory/200-123-0x00000000024C1000-0x00000000024C3000-memory.dmp

Filesize
8KB

Download
memory/200-122-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/852-116-0x0000000002DC1000-0x0000000002DC3000-memory.dmp

Filesize
8KB

Download
memory/852-115-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/2936-124-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2936-121-0x000000000041A684-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads