azorult | eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e

General

Target

eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
Size

21KB
MD5

95cc0a03522c5e154082e5869d48ce0f
SHA1

c3fe4fd65451f225e4fffcc9112154d5d1d69108
SHA256

eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e
SHA512

2437704d3f37bb81eea073b7cf903ca22b6504dcedb807872e89b6c6f889ebb05a8a1045988b3b1057a5850d8927e24bb82a7145e092336de98acff5d66bbd7f

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe

pid	process
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe

description	pid	process	target process
PID 2116 set thread context of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2068 2116 WerFault.exe eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2704 timeout.exe

pid	pid_target	process	target process
2068	2116	WerFault.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe

pid	process
2704	timeout.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exeWerFault.exe

pid	process
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
Token: SeRestorePrivilege	2068	WerFault.exe
Token: SeBackupPrivilege	2068	WerFault.exe
Token: SeDebugPrivilege	2068	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.execmd.exe

C:\Users\Admin\AppData\Local\Temp\eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
"C:\Users\Admin\AppData\Local\Temp\eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:2704

C:\Users\Admin\AppData\Local\Temp\eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
"C:\Users\Admin\AppData\Local\Temp\eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe"
2⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 1900
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-120-0x0000000000000000-mapping.dmp

Download
memory/2116-114-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/2116-116-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2116-117-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2116-118-0x0000000005000000-0x00000000054FE000-memory.dmp

Filesize
5.0MB

Download
memory/2116-119-0x0000000002AD0000-0x0000000002B23000-memory.dmp

Filesize
332KB

Download
memory/2704-121-0x0000000000000000-mapping.dmp

Download
memory/3396-122-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3396-123-0x000000000041A684-mapping.dmp

Download
memory/3396-124-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

description	pid	process	target process
PID 2116 wrote to memory of 2040	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	cmd.exe
PID 2116 wrote to memory of 2040	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	cmd.exe
PID 2116 wrote to memory of 2040	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	cmd.exe
PID 2040 wrote to memory of 2704	2040	cmd.exe	timeout.exe
PID 2040 wrote to memory of 2704	2040	cmd.exe	timeout.exe
PID 2040 wrote to memory of 2704	2040	cmd.exe	timeout.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe
PID 2116 wrote to memory of 3396	2116	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe	eb19bcc9c2fc11bd348b0a7377245ba5a66c810ab8d7d81ae39f8bdc7cbf261e.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads