azorult | 3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247

General

Target

3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
Size

777KB
MD5

d4cc17b2b89c9533de2c0b2bf6805e13
SHA1

b5eb101333f67d60ea3b4d3725f76220a93194ad
SHA256

3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247
SHA512

cacf35815d2bbd5fcf0ddb15ea73b0ccf4161ad952e786565c18f5b9fc7c01cdc567b385b08c74d676f28db13443a4c946ab709270b468cd7398eeaa67e57ea8

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://31.210.20.121/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

description	pid	process	target process
PID 1020 set thread context of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

pid	process
1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

description pid process

Token: SeDebugPrivilege 1020 3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

description	pid	process
Token: SeDebugPrivilege	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

description	pid	process	target process
PID 1020 wrote to memory of 1372	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 1372	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 1372	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 1372	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
PID 1020 wrote to memory of 368	1020	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe	3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe

C:\Users\Admin\AppData\Local\Temp\3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
"C:\Users\Admin\AppData\Local\Temp\3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Users\Admin\AppData\Local\Temp\3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
"{path}"
2⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\3278e9c4c457276373847b00e038409b6a14170cf4cedf0879c757df80040247.exe
"{path}"
2⤵
PID:368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/368-64-0x000000000041A1F8-mapping.dmp

Download
memory/368-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1020-60-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1020-61-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1020-62-0x0000000000631000-0x0000000000632000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads