azorult | db983ec8265e31a052ec43b742f1f266225f09d07a6a6a67947fbaabb42ef73f

General

Target

Reqest for Quotation.exe
Size

650KB
MD5

9d544edbac1411fd5c7ce439100680f8
SHA1

6ef2e1a2e35533777478b3b4f9b7d67c5a53b69d
SHA256

db983ec8265e31a052ec43b742f1f266225f09d07a6a6a67947fbaabb42ef73f
SHA512

e415c48ef9390a3ce7c09af437acfa56b8ed72d5c2718f3ddea36e14eae42bb81d380b6efd7373b182a1c590421f33864c5a7bd7b4e278429fa863f83a45953c

Score

10^/10

Family

azorult

C2

http://31.210.21.194/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

Reqest for Quotation.exe

description pid process target process

PID 4024 set thread context of 2648 4024 Reqest for Quotation.exe Reqest for Quotation.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Reqest for Quotation.exe

pid process

4024 Reqest for Quotation.exe
4024 Reqest for Quotation.exe
4024 Reqest for Quotation.exe
4024 Reqest for Quotation.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Reqest for Quotation.exe

description pid process

Token: SeDebugPrivilege 4024 Reqest for Quotation.exe

description	pid	process	target process
PID 4024 set thread context of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe

description	pid	process
Token: SeDebugPrivilege	4024	Reqest for Quotation.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Reqest for Quotation.exe

description	pid	process	target process
PID 4024 wrote to memory of 3828	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 3828	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 3828	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 3628	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 3628	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 3628	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe
PID 4024 wrote to memory of 2648	4024	Reqest for Quotation.exe	Reqest for Quotation.exe

memory/2648-116-0x000000000041A1F8-mapping.dmp

Download
memory/2648-115-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2648-117-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4024-114-0x0000000002B50000-0x0000000002B51000-memory.dmp

Filesize
4KB

Download