azorult | 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126

General

Target

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
Size

341KB
MD5

a8c8c9f845755c28d970990ac073386d
SHA1

ff23867b93b68d1feefcbea5fb5a96fc2b5870d1
SHA256

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126
SHA512

80a358958a39fed9fcf79d3b885a446f727ee89aad5e236074909a5677464c5cdabc8c3129bfb8c228556b8012a5cc54db46c28faf89ed3dff3e900c17ed2d2b

Score

10^/10

azorult infostealer suricata trojan

Malware Config

Extracted

Family

azorult

C2

http://2.56.59.31/purelogs/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata
Executes dropped EXE 2 IoCs

Processes:

ibjyf.exeibjyf.exe

pid process

2964 ibjyf.exe
1348 ibjyf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2964	ibjyf.exe
1348	ibjyf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exeibjyf.exe

description	pid	process	target process
PID 4088 wrote to memory of 2964	4088	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe	ibjyf.exe
PID 4088 wrote to memory of 2964	4088	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe	ibjyf.exe
PID 4088 wrote to memory of 2964	4088	67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe
PID 2964 wrote to memory of 1348	2964	ibjyf.exe	ibjyf.exe

C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
  C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
    C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl
    3⤵
    - Executes dropped EXE
    PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3rvv473x9d9doywn24w0

Filesize
213KB

MD5
d68efd53b46be72c468deb58e648d035

SHA1
2f7ce2bd0076bf6530905ee8863a93eed5feab56

SHA256
e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5

SHA512
ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Filesize
172KB

MD5
3ce2e03927cfb19ced6be0d1a4df16b9

SHA1
67812421bfad08fa0d0ec9a6fa7341cab5687860

SHA256
23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa

SHA512
0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjpvfl

Filesize
5KB

MD5
ad4a34c660bd08739bde04685d83743c

SHA1
8930ea55e26562c033dca1c6aab8d50fb4bf786b

SHA256
584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2

SHA512
ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f

Download Submit
memory/1348-135-0x0000000000000000-mapping.dmp

Download
memory/1348-139-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/1348-137-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/1348-142-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/2964-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing