azorult | 624e5509cedfb8121623c45d583c18e8fc351bf881aafb5c2de521fccba60240

Analysis

max time kernel
122s
max time network
122s
platform
windows10_x64
resource
win10v20210408
submitted
06-05-2021 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

236KB
MD5

41a8eefc3266fe55a90e522a016f54d4
SHA1

a3a931064476409dd4114cf01668860ad5dab37c
SHA256

624e5509cedfb8121623c45d583c18e8fc351bf881aafb5c2de521fccba60240
SHA512

bb4085fc421c007d0612a795285cdd00a3615ec51055648520dd23f95a2f1f7e643ca106b3ea5863b569048b3aba2bae30c021e9237294596d98ed42d8bba85e

Score

10^/10

azorult infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://bengalcement.com.bd/AxPu/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Loads dropped DLL 7 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeMSBuild.exe

pid	process
860	Ziraat Bankasi Swift Mesaji.exe
512	Ziraat Bankasi Swift Mesaji.exe
3060	Ziraat Bankasi Swift Mesaji.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe
2220	MSBuild.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exe

description pid process target process

PID 3060 set thread context of 2220 3060 Ziraat Bankasi Swift Mesaji.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3060 set thread context of 2220	3060	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

MSBuild.exe

pid process

2220 MSBuild.exe
2220 MSBuild.exe

pid	process
2220	MSBuild.exe
2220	MSBuild.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exe

pid	process
860	Ziraat Bankasi Swift Mesaji.exe
860	Ziraat Bankasi Swift Mesaji.exe
512	Ziraat Bankasi Swift Mesaji.exe
512	Ziraat Bankasi Swift Mesaji.exe
3060	Ziraat Bankasi Swift Mesaji.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exeZiraat Bankasi Swift Mesaji.exe

description	pid	process	target process
PID 860 wrote to memory of 3184	860	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 860 wrote to memory of 3184	860	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 860 wrote to memory of 3184	860	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 860 wrote to memory of 512	860	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 860 wrote to memory of 512	860	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 860 wrote to memory of 512	860	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 512 wrote to memory of 196	512	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 512 wrote to memory of 196	512	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 512 wrote to memory of 196	512	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 512 wrote to memory of 3060	512	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 512 wrote to memory of 3060	512	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 512 wrote to memory of 3060	512	Ziraat Bankasi Swift Mesaji.exe	Ziraat Bankasi Swift Mesaji.exe
PID 3060 wrote to memory of 2220	3060	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 3060 wrote to memory of 2220	3060	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 3060 wrote to memory of 2220	3060	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe
PID 3060 wrote to memory of 2220	3060	Ziraat Bankasi Swift Mesaji.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
2⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
3⤵
PID:196

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
4⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\04xh1al0qnjy1rcfm
MD5
c2204251cbf5973a17edcd41b94ec5c8

SHA1
ad0bb13b3ab1c2028fae8cad129001ef1d54f41a

SHA256
fb1f529540ab45872d15c8f8c3ec672221be6870034c01e1ab56c7ccdafd305c

SHA512
6a57f8d90cbe518ab0fca44f27f245f79fa4c7404b3ed19b0036e98fa5a9417909b3f0a19b03841a2b016892100e00065a77e450db5039c17219d2ca4d0c0fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\04xh1al0qnjy1rcfm
MD5
c2204251cbf5973a17edcd41b94ec5c8

SHA1
ad0bb13b3ab1c2028fae8cad129001ef1d54f41a

SHA256
fb1f529540ab45872d15c8f8c3ec672221be6870034c01e1ab56c7ccdafd305c

SHA512
6a57f8d90cbe518ab0fca44f27f245f79fa4c7404b3ed19b0036e98fa5a9417909b3f0a19b03841a2b016892100e00065a77e450db5039c17219d2ca4d0c0fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\sct4rix2tae8dn
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sct4rix2tae8dn
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\mozglue.dll
MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\nss3.dll
MD5
556ea09421a0f74d31c4c0a89a70dc23

SHA1
f739ba9b548ee64b13eb434a3130406d23f836e3

SHA256
f0e6210d4a0d48c7908d8d1c270449c91eb4523e312a61256833bfeaf699abfb

SHA512
2481fc80dffa8922569552c3c3ebaef8d0341b80427447a14b291ec39ea62ab9c05a75e85eef5ea7f857488cab1463c18586f9b076e2958c5a314e459045ede2

Download Submit
\Users\Admin\AppData\Local\Temp\6E3C648E\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\nsh97D3.tmp\19t5vcbhf.dll
MD5
8b9dad0b976b65616b3bfe1e8db9b971

SHA1
a8f2e5fee9d4291c9b548959f55f00c557f28eca

SHA256
f2fea04f3be6a9020edca62a75a19d10112e2218d2f4be36092828da96534df7

SHA512
4356e8ba1c4acc08178cdde88b356f1cd235df5470c282f630f8eb1c29ef044c29b2216e491d54e7d8bf92a9881f2803b20467bc9f08c347af7e4217f2e14ecb

Download Submit
\Users\Admin\AppData\Local\Temp\nsiB492.tmp\19t5vcbhf.dll
MD5
8b9dad0b976b65616b3bfe1e8db9b971

SHA1
a8f2e5fee9d4291c9b548959f55f00c557f28eca

SHA256
f2fea04f3be6a9020edca62a75a19d10112e2218d2f4be36092828da96534df7

SHA512
4356e8ba1c4acc08178cdde88b356f1cd235df5470c282f630f8eb1c29ef044c29b2216e491d54e7d8bf92a9881f2803b20467bc9f08c347af7e4217f2e14ecb

Download Submit
\Users\Admin\AppData\Local\Temp\nssA698.tmp\19t5vcbhf.dll
MD5
8b9dad0b976b65616b3bfe1e8db9b971

SHA1
a8f2e5fee9d4291c9b548959f55f00c557f28eca

SHA256
f2fea04f3be6a9020edca62a75a19d10112e2218d2f4be36092828da96534df7

SHA512
4356e8ba1c4acc08178cdde88b356f1cd235df5470c282f630f8eb1c29ef044c29b2216e491d54e7d8bf92a9881f2803b20467bc9f08c347af7e4217f2e14ecb

Download Submit
memory/512-116-0x0000000000000000-mapping.dmp

Download
memory/860-115-0x0000000000A90000-0x0000000000A92000-memory.dmp

Filesize
8KB

Download
memory/2220-125-0x000000000041A684-mapping.dmp

Download
memory/2220-127-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3060-121-0x0000000000000000-mapping.dmp

Download