Malware Analysis Report

2025-08-05 13:07

Sample ID 220322-htan6aefe6
Target 6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
SHA256 6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327
Tags
azorult gozi_ifsb banker infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327

Threat Level: Known bad

The file 6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe was found to be: Known bad.

Malicious Activity Summary

azorult gozi_ifsb banker infostealer trojan

Azorult

Gozi, Gozi IFSB

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-03-22 07:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-22 07:01

Reported

2022-03-22 07:13

Platform

win7-20220311-en

Max time kernel

4294181s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"

Signatures

Azorult

trojan infostealer azorult

Gozi, Gozi IFSB

banker trojan gozi_ifsb

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1648 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 1936 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Windows\SysWOW64\WerFault.exe
PID 1936 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Windows\SysWOW64\WerFault.exe
PID 1936 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Windows\SysWOW64\WerFault.exe
PID 1936 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe

"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"

C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe

"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 744

Network

Country Destination Domain Proto
NL 85.202.169.121:80 tcp
NL 85.202.169.121:80 85.202.169.121 tcp

Files

memory/1648-54-0x00000000009C0000-0x0000000000A78000-memory.dmp

memory/1648-55-0x0000000074640000-0x0000000074D2E000-memory.dmp

memory/1648-56-0x0000000004950000-0x0000000004951000-memory.dmp

memory/1648-57-0x0000000000510000-0x000000000052A000-memory.dmp

memory/1648-58-0x0000000004951000-0x0000000004952000-memory.dmp

memory/1648-59-0x0000000005C10000-0x0000000005CB2000-memory.dmp

memory/1648-60-0x00000000009A0000-0x00000000009C2000-memory.dmp

memory/1936-61-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-65-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-69-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-67-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-71-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-73-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1936-74-0x00000000752C1000-0x00000000752C3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-22 07:01

Reported

2022-03-22 07:12

Platform

win10v2004-en-20220113

Max time kernel

79s

Max time network

169s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe
PID 3832 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe

"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"

C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe

"C:\Users\Admin\AppData\Local\Temp\6fd11b4a09db2c2713edbe0bb7536402e7e7bf0255ed7b80c6dc4d934938e327.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 1220

Network

Country Destination Domain Proto
NL 85.202.169.121:80 85.202.169.121 tcp
NL 104.110.191.133:80 tcp

Files

memory/3832-130-0x00000000001C0000-0x0000000000278000-memory.dmp

memory/3832-131-0x0000000005190000-0x0000000005734000-memory.dmp

memory/3832-132-0x0000000074730000-0x0000000074EE0000-memory.dmp

memory/3832-133-0x0000000004C80000-0x0000000004D12000-memory.dmp

memory/3832-134-0x0000000004C40000-0x0000000004C4A000-memory.dmp

memory/3832-135-0x00000000089A0000-0x0000000008A3C000-memory.dmp

memory/3832-136-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/4212-137-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4212-139-0x0000000000400000-0x0000000000420000-memory.dmp