azorult | 214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6 | Triage

Analysis

max time kernel
118s
max time network
135s
platform
windows10_x64
resource
win10v20210410
submitted
30-04-2021 10:56

Sharing

Report Analysis Logs

General

Target

PaymentNotification.pdf.exe
Size

1.5MB
MD5

533080297cda36f79983aac2531cd490
SHA1

8ee3fef2355beba65935e9bc3eed95f5ec01ff2e
SHA256

214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6
SHA512

4e764550c8edb05f3e5a1bb49566952d650c3b74476c47795bc7e3a92b4419a96eb84d6adcd2520c92a03f2cd50bf294c7f03c16916efa881c74f5976705b309

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://203.159.80.91/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

PaymentNotification.pdf.exe

description pid process target process

PID 4048 set thread context of 3528 4048 PaymentNotification.pdf.exe PaymentNotification.pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PaymentNotification.pdf.exe

description	pid	process	target process
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 4048 wrote to memory of 3528	4048	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe

C:\Users\Admin\AppData\Local\Temp\PaymentNotification.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentNotification.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\PaymentNotification.pdf.exe
  "{path}"
  2⤵
  PID:3528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3528-115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3528-116-0x000000000041A1F8-mapping.dmp

Download
memory/3528-117-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4048-114-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download