azorult | 2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce

General

Target

2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
Size

495KB
MD5

28c639c743ca0c9af8e46abc9d008b83
SHA1

aa5fb9beb8e12e2bee41a90cf9ef68cc3dc0c0eb
SHA256

2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce
SHA512

1e454c58df3f7b427a764da1c5153fe305d01260ad32a0a03c7540bc56454cffac69cc585177ac31abc646c649d9d15e14eb1b49c983007900eca69a8089334e

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://5.161.106.206/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe

description	pid	process	target process
PID 2640 set thread context of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe

description	pid	process	target process
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
PID 2640 wrote to memory of 4440	2640	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe	2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe

C:\Users\Admin\AppData\Local\Temp\2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
"C:\Users\Admin\AppData\Local\Temp\2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\2e970a59c6813b50be54a729c3e4939347302f73bc302e3227114b73d0ec7dce.exe
  "{path}"
  2⤵
  PID:4440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-130-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2640-131-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/2640-132-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/2640-133-0x0000000005790000-0x000000000582C000-memory.dmp

Filesize
624KB

Download
memory/2640-134-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/4440-135-0x0000000000000000-mapping.dmp

Download
memory/4440-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4440-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4440-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing