azorult | fe740b0963f4003fcffab9a6455b66c78b1844c5b48fe0e61a68804484620f65 | Triage

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10v20210408
submitted
21-04-2021 19:51

Sharing

Report Analysis Logs

General

Target

New Order.exe
Size

785KB
MD5

23df9b65361d18bcbab8d29f6a0b99c8
SHA1

f895389d4f366f7fcdced202ea7357195d8a8373
SHA256

fe740b0963f4003fcffab9a6455b66c78b1844c5b48fe0e61a68804484620f65
SHA512

09057fb93f8d1faa032b3414e1c34b804047eec36443d24242f568c96261f85629f487ab4373c6540e8f34d1d583182867bc3e9f0bb030c1faa4d508f27b8d44

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://149.248.35.254/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Order.exe

description pid process target process

PID 1456 set thread context of 3144 1456 New Order.exe New Order.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

New Order.exe

description	pid	process	target process
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe
PID 1456 wrote to memory of 3144	1456	New Order.exe	New Order.exe

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"{path}"
2⤵
PID:3144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-114-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/3144-115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3144-116-0x000000000041A1F8-mapping.dmp

Download
memory/3144-117-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download