azorult | 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126

Analysis

max time kernel
41s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-05-2022 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
Size

341KB
MD5

a8c8c9f845755c28d970990ac073386d
SHA1

ff23867b93b68d1feefcbea5fb5a96fc2b5870d1
SHA256

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126
SHA512

80a358958a39fed9fcf79d3b885a446f727ee89aad5e236074909a5677464c5cdabc8c3129bfb8c228556b8012a5cc54db46c28faf89ed3dff3e900c17ed2d2b

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://2.56.59.31/purelogs/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

ibjyf.exeibjyf.exe

pid process

1820 ibjyf.exe
1332 ibjyf.exe
Loads dropped DLL 5 IoCs

Processes:

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exeibjyf.exeWerFault.exe

pid process

1352 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
1820 ibjyf.exe
1932 WerFault.exe
1932 WerFault.exe
1932 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1932 1332 WerFault.exe ibjyf.exe

pid	process
1820	ibjyf.exe
1332	ibjyf.exe

pid	process
1352	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
1820	ibjyf.exe
1932	WerFault.exe
1932	WerFault.exe
1932	WerFault.exe

pid	pid_target	process	target process
1932	1332	WerFault.exe	ibjyf.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exeibjyf.exeibjyf.exe

description	pid	process	target process
PID 1352 wrote to memory of 1820	1352	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe	ibjyf.exe
PID 1352 wrote to memory of 1820	1352	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe	ibjyf.exe
PID 1352 wrote to memory of 1820	1352	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe	ibjyf.exe
PID 1352 wrote to memory of 1820	1352	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1820 wrote to memory of 1332	1820	ibjyf.exe	ibjyf.exe
PID 1332 wrote to memory of 1932	1332	ibjyf.exe	WerFault.exe
PID 1332 wrote to memory of 1932	1332	ibjyf.exe	WerFault.exe
PID 1332 wrote to memory of 1932	1332	ibjyf.exe	WerFault.exe
PID 1332 wrote to memory of 1932	1332	ibjyf.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
  C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
    C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 120
      4⤵
      Loads dropped DLL
      Program crash
      PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3rvv473x9d9doywn24w0

Filesize
213KB

MD5
d68efd53b46be72c468deb58e648d035

SHA1
2f7ce2bd0076bf6530905ee8863a93eed5feab56

SHA256
e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5

SHA512
ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjpvfl

Filesize
5KB

MD5
ad4a34c660bd08739bde04685d83743c

SHA1
8930ea55e26562c033dca1c6aab8d50fb4bf786b

SHA256
584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2

SHA512
ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f

Download Submit
\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
memory/1332-63-0x0000000000000000-mapping.dmp

Download
memory/1332-65-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1332-70-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1332-67-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/1352-54-0x0000000075381000-0x0000000075383000-memory.dmp

Filesize
8KB

Download
memory/1820-56-0x0000000000000000-mapping.dmp

Download
memory/1932-71-0x0000000000000000-mapping.dmp

Download