azorult | 97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b

General

Target

97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
Size

304KB
MD5

6529ae6f83ba1f1885f1b7b79c27f3c5
SHA1

60c9a10e8ad5f95341df373cb662f71f6e4541d8
SHA256

97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b
SHA512

0773c732d1ed10b2e847e0220f1b30a73bb80d8f5ef9cef9bc15752e5cb54964737a22c1682cc8be05a7c8a7bee6a842ec694cd0d8feed1e560b7b10bc9e8cb6

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://obimmaa.ir/jay/32/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

description	pid	process	target process
PID 1848 set thread context of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

pid	process
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

description pid process

Token: SeDebugPrivilege 1848 97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

description	pid	process
Token: SeDebugPrivilege	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

description	pid	process	target process
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
PID 1848 wrote to memory of 268	1848	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe	97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe

C:\Users\Admin\AppData\Local\Temp\97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
"C:\Users\Admin\AppData\Local\Temp\97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe
"C:\Users\Admin\AppData\Local\Temp\97db5d6bf244ec42d214ecda6116b47f3f832cdeb7e2420cb61b38bd38f6e56b.exe"
2⤵
PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-124-0x000000000041A1F8-mapping.dmp

Download
memory/268-125-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1848-59-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/1848-61-0x00000000004E0000-0x00000000004E3000-memory.dmp

Filesize
12KB

Download
memory/1848-123-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads