azorult | 04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6

General

Target

04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe
Size

231KB
MD5

0a1c0441a4b383a7c91bb3a0b2036b20
SHA1

cc32f97cdd7389e4857ca508a4b598831f6c7fd3
SHA256

04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6
SHA512

faa4b15dc354c966dd9447ed52cf94964b224c4b30bb9692706af119e2e6936a2e6188b7cc3743129aeb80db96ecd18573a860fe2ea6fd4bbc3c37af4e09de14

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

XD.exeGuMonSet32.exe

pid process

1984 XD.exe
1792 GuMonSet32.exe

pid	process
1984	XD.exe
1792	GuMonSet32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\GuMonSet32.exe	upx
\Users\Admin\AppData\Local\Temp\GuMonSet32.exe	upx
C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe	upx

Loads dropped DLL 4 IoCs

Processes:

04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe

pid	process
788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe
788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe
788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe
788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe

description	pid	process	target process
PID 788 wrote to memory of 1984	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	XD.exe
PID 788 wrote to memory of 1984	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	XD.exe
PID 788 wrote to memory of 1984	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	XD.exe
PID 788 wrote to memory of 1984	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	XD.exe
PID 788 wrote to memory of 1792	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	GuMonSet32.exe
PID 788 wrote to memory of 1792	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	GuMonSet32.exe
PID 788 wrote to memory of 1792	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	GuMonSet32.exe
PID 788 wrote to memory of 1792	788	04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe	GuMonSet32.exe

C:\Users\Admin\AppData\Local\Temp\04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe
"C:\Users\Admin\AppData\Local\Temp\04721bfde5ece7d75ce90d7d09ddcc71028b26f2290382ffb78efcb2c436b2b6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788
- C:\Users\Admin\AppData\Local\Temp\XD.exe
  "C:\Users\Admin\AppData\Local\Temp\XD.exe"
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe
  "C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe"
  2⤵
  - Executes dropped EXE
  PID:1792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GuMonSet32.exe

MD5
0ee8839051ff9c7c2699c3d80043eaa7

SHA1
77ead602300e8f2556601e30bab65b4eec5cf527

SHA256
a92f119736413ecdc6d764112f57dfeee6c7f5b8cc2ec4c9e235af08cb11b771

SHA512
a5210f5fef07ef47a703e7f63842f8f93d7115f3c375d5a2812975f03d58c9a31cf24fc9e9afe47f501a732b7640146d945ce302f9c67dbad4d84311143de9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XD.exe

MD5
96fb8d393302d80b87fc5871102e9125

SHA1
234a809d5b9ada6b911fbe3846f55c4748cb46a0

SHA256
4a92cd9b845b492b6ba216b85dab28421111d7bbe9f31e857a767cb6fefb09a5

SHA512
46b704f5daa16002849b0473991810e5eb483e3a3ffc2fee3ad38f3f2218296dba48a19fec65aa24f81371d1068b191f30f642cc7304d6f30cb68e4fdee966dd

Download Submit
\Users\Admin\AppData\Local\Temp\GuMonSet32.exe

MD5
0ee8839051ff9c7c2699c3d80043eaa7

SHA1
77ead602300e8f2556601e30bab65b4eec5cf527

SHA256
a92f119736413ecdc6d764112f57dfeee6c7f5b8cc2ec4c9e235af08cb11b771

SHA512
a5210f5fef07ef47a703e7f63842f8f93d7115f3c375d5a2812975f03d58c9a31cf24fc9e9afe47f501a732b7640146d945ce302f9c67dbad4d84311143de9df

Download Submit
\Users\Admin\AppData\Local\Temp\GuMonSet32.exe

MD5
0ee8839051ff9c7c2699c3d80043eaa7

SHA1
77ead602300e8f2556601e30bab65b4eec5cf527

SHA256
a92f119736413ecdc6d764112f57dfeee6c7f5b8cc2ec4c9e235af08cb11b771

SHA512
a5210f5fef07ef47a703e7f63842f8f93d7115f3c375d5a2812975f03d58c9a31cf24fc9e9afe47f501a732b7640146d945ce302f9c67dbad4d84311143de9df

Download Submit
\Users\Admin\AppData\Local\Temp\XD.exe

MD5
96fb8d393302d80b87fc5871102e9125

SHA1
234a809d5b9ada6b911fbe3846f55c4748cb46a0

SHA256
4a92cd9b845b492b6ba216b85dab28421111d7bbe9f31e857a767cb6fefb09a5

SHA512
46b704f5daa16002849b0473991810e5eb483e3a3ffc2fee3ad38f3f2218296dba48a19fec65aa24f81371d1068b191f30f642cc7304d6f30cb68e4fdee966dd

Download Submit
\Users\Admin\AppData\Local\Temp\XD.exe

MD5
96fb8d393302d80b87fc5871102e9125

SHA1
234a809d5b9ada6b911fbe3846f55c4748cb46a0

SHA256
4a92cd9b845b492b6ba216b85dab28421111d7bbe9f31e857a767cb6fefb09a5

SHA512
46b704f5daa16002849b0473991810e5eb483e3a3ffc2fee3ad38f3f2218296dba48a19fec65aa24f81371d1068b191f30f642cc7304d6f30cb68e4fdee966dd

Download Submit
memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1792-66-0x0000000000000000-mapping.dmp

Download
memory/1984-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads