azorult | 8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2

Analysis

max time kernel
126s
max time network
99s
platform
windows7_x64
resource
win7v20210408
submitted
16-05-2021 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
Size

3.3MB
MD5

a2e9f04fd2ce09694073d43ac62a5d0e
SHA1

e98853e3512694b13425b82646cd2e869bae31bb
SHA256

8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2
SHA512

ca413738e4404368d05c0ceaf351c8de9f33189ec8821635211e3c35896265542911b4cedaf6caf988ab9f4d21c5781df1384c4c8219edcc54e921dee50b6732

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

http://92.63.192.72/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

busshost.exeYTLoader.exe

pid process

1300 busshost.exe
1556 YTLoader.exe

pid	process
1300	busshost.exe
1556	YTLoader.exe

Loads dropped DLL 8 IoCs

Processes:

8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exeWerFault.exe

pid	process
336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

Processes:

8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1500 1556 WerFault.exe YTLoader.exe

pid	pid_target	process	target process
1500	1556	WerFault.exe	YTLoader.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	YTLoader.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1500 WerFault.exe
1500 WerFault.exe
1500 WerFault.exe
1500 WerFault.exe
1500 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1500 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

YTLoader.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1556 YTLoader.exe
Token: SeDebugPrivilege 1500 WerFault.exe

pid	process
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe

pid	process
1500	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1556	YTLoader.exe
Token: SeDebugPrivilege	1500	WerFault.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exeYTLoader.exe

description	pid	process	target process
PID 336 wrote to memory of 1300	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	busshost.exe
PID 336 wrote to memory of 1300	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	busshost.exe
PID 336 wrote to memory of 1300	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	busshost.exe
PID 336 wrote to memory of 1300	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	busshost.exe
PID 336 wrote to memory of 1556	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	YTLoader.exe
PID 336 wrote to memory of 1556	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	YTLoader.exe
PID 336 wrote to memory of 1556	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	YTLoader.exe
PID 336 wrote to memory of 1556	336	8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe	YTLoader.exe
PID 1556 wrote to memory of 1500	1556	YTLoader.exe	WerFault.exe
PID 1556 wrote to memory of 1500	1556	YTLoader.exe	WerFault.exe
PID 1556 wrote to memory of 1500	1556	YTLoader.exe	WerFault.exe
PID 1556 wrote to memory of 1500	1556	YTLoader.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe
"C:\Users\Admin\AppData\Local\Temp\8d1b830b2dda89393dfb738e94f50ccdc80cc27067a70df9fc235d13deb36fa2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:336

C:\Program Files (x86)\LetsSee!\busshost.exe
"C:\Program Files (x86)\LetsSee!\busshost.exe"
2⤵
- Executes dropped EXE
PID:1300

C:\Program Files (x86)\LetsSee!\YTLoader.exe
"C:\Program Files (x86)\LetsSee!\YTLoader.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 1084
3⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\busshost.exe
MD5
c0fb247ef64ec4b9cf799a6fcd18180e

SHA1
92870e3882380df04aba8ff5a8f2458928b980e9

SHA256
3c984137c3731017497bddcb5b7dcd920a765bdb80e8af77f4ef61a925a9f0b9

SHA512
a7fc31296334519be557c329ff2ca4a13290b5c81d978940370da8c962bc162077fcaa21b484c9c9ce55b89f49ffb2ea44ec74193d7b4d91d84eca96740f18d4

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\busshost.exe
MD5
c0fb247ef64ec4b9cf799a6fcd18180e

SHA1
92870e3882380df04aba8ff5a8f2458928b980e9

SHA256
3c984137c3731017497bddcb5b7dcd920a765bdb80e8af77f4ef61a925a9f0b9

SHA512
a7fc31296334519be557c329ff2ca4a13290b5c81d978940370da8c962bc162077fcaa21b484c9c9ce55b89f49ffb2ea44ec74193d7b4d91d84eca96740f18d4

Download Submit
\Program Files (x86)\LetsSee!\busshost.exe
MD5
c0fb247ef64ec4b9cf799a6fcd18180e

SHA1
92870e3882380df04aba8ff5a8f2458928b980e9

SHA256
3c984137c3731017497bddcb5b7dcd920a765bdb80e8af77f4ef61a925a9f0b9

SHA512
a7fc31296334519be557c329ff2ca4a13290b5c81d978940370da8c962bc162077fcaa21b484c9c9ce55b89f49ffb2ea44ec74193d7b4d91d84eca96740f18d4

Download Submit
memory/336-59-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1300-69-0x0000000000400000-0x0000000000533000-memory.dmp

Filesize
1.2MB

Download
memory/1300-62-0x0000000000000000-mapping.dmp

Download
memory/1500-93-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1500-87-0x0000000000000000-mapping.dmp

Download
memory/1556-77-0x0000000000720000-0x0000000000725000-memory.dmp

Filesize
20KB

Download
memory/1556-86-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/1556-79-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/1556-80-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/1556-81-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1556-82-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1556-83-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1556-84-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1556-85-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1556-78-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1556-76-0x0000000000730000-0x0000000000735000-memory.dmp

Filesize
20KB

Download
memory/1556-75-0x0000000000710000-0x0000000000719000-memory.dmp

Filesize
36KB

Download
memory/1556-74-0x0000000005090000-0x00000000054E5000-memory.dmp

Filesize
4.3MB

Download
memory/1556-73-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/1556-72-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1556-70-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1556-66-0x0000000000000000-mapping.dmp

Download