azorult | 214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6

General

Target

214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
Size

1.5MB
MD5

533080297cda36f79983aac2531cd490
SHA1

8ee3fef2355beba65935e9bc3eed95f5ec01ff2e
SHA256

214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6
SHA512

4e764550c8edb05f3e5a1bb49566952d650c3b74476c47795bc7e3a92b4419a96eb84d6adcd2520c92a03f2cd50bf294c7f03c16916efa881c74f5976705b309

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://203.159.80.91/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe

description	pid	process	target process
PID 1092 set thread context of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe

description	pid	process	target process
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
PID 1092 wrote to memory of 1712	1092	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe	214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe

C:\Users\Admin\AppData\Local\Temp\214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
"C:\Users\Admin\AppData\Local\Temp\214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\214ecc0799cdfadc554d2214d558c979211bc2275da1c2fb8e07732b1eb013c6.exe
"{path}"
2⤵
PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-60-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1092-61-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1092-65-0x0000000002231000-0x0000000002232000-memory.dmp

Filesize
4KB

Download
memory/1712-63-0x000000000041A1F8-mapping.dmp

Download
memory/1712-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1712-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing