azorult | 214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6

Analysis

Target

PaymentNotification.pdf.exe
Size

1.5MB
MD5

533080297cda36f79983aac2531cd490
SHA1

8ee3fef2355beba65935e9bc3eed95f5ec01ff2e
SHA256

214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6
SHA512

4e764550c8edb05f3e5a1bb49566952d650c3b74476c47795bc7e3a92b4419a96eb84d6adcd2520c92a03f2cd50bf294c7f03c16916efa881c74f5976705b309

Score

10^/10

Family

azorult

http://203.159.80.91/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

PaymentNotification.pdf.exe

description pid process target process

PID 484 set thread context of 1224 484 PaymentNotification.pdf.exe PaymentNotification.pdf.exe

description	pid	process	target process
PID 484 set thread context of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

PaymentNotification.pdf.exe

description	pid	process	target process
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe
PID 484 wrote to memory of 1224	484	PaymentNotification.pdf.exe	PaymentNotification.pdf.exe

C:\Users\Admin\AppData\Local\Temp\PaymentNotification.pdf.exe
"{path}"
2⤵
PID:1224

memory/484-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/484-61-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/484-65-0x0000000000521000-0x0000000000522000-memory.dmp

Filesize
4KB

Download
memory/1224-63-0x000000000041A1F8-mapping.dmp

Download
memory/1224-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1224-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download