azorult | 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94

General

Target

9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
Size

516KB
MD5

a5669a3c8acad2ac38e73306066edecb
SHA1

484046726d558f448051e5bb73e2b531c2c45246
SHA256

9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94
SHA512

e85b2c1df0e8f2652388056b2f72742f073db3588c9167b0e865df43b2f898c615174df240cb4a923d13b6f050f69e33037329dfacb87ac062cc0148ba7313a9

Score

10^/10

azorult infostealer persistence suricata trojan

Malware Config

Extracted

Family

azorult

C2

http://mideastclinicsea.us/micr05oft-0n1ine/0a8005f5594bd67041f88c6196192646/a5bfc9e07964f8dddeb95fc584cd965d/df877f3865752637daa540ea9cbc474f/webmai1pr0tected/8efd23a3fe0ec74453bdd0fadb91b0e3/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15
suricata
Executes dropped EXE 2 IoCs

Processes:

ydzzl.exeydzzl.exe

pid process

1796 ydzzl.exe
4888 ydzzl.exe

pid	process
1796	ydzzl.exe
4888	ydzzl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ydzzl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miihwsieh = "C:\\Users\\Admin\\AppData\\Roaming\\cchna\\ktqglofa.exe"	ydzzl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exeydzzl.exe

description	pid	process	target process
PID 5088 wrote to memory of 1796	5088	9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe	ydzzl.exe
PID 5088 wrote to memory of 1796	5088	9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe	ydzzl.exe
PID 5088 wrote to memory of 1796	5088	9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe
PID 1796 wrote to memory of 4888	1796	ydzzl.exe	ydzzl.exe

C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
"C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu
3⤵
- Executes dropped EXE
PID:4888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wyjxu
Filesize
7KB

MD5
d8a269678720acfc5dc76b53208c3302

SHA1
2729bad20f6935e5b88489671900ddaa7d22c792

SHA256
88e9825f1ba032c3ba70907f767ca5370ee6070f665f05ee83b5af26613b4ecf

SHA512
b315c216c26995da4a220335a46f4cddd74e114d876d4f25c9b9f3d36a79bd5ef28c8a66a20002fcffaab19240dd53d0ac7239bf731c58cdd715fd0b9458ba4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjewya0f8z6q4cvbu82l
Filesize
213KB

MD5
44623f66bab0f6148c33004e7247387f

SHA1
dd457b7633b125d6be1ee9bf9ca242e9e4174451

SHA256
a377019e6b43e9a7cc6b3dffb7ac1b98bbf9a8de3399ec44a8caf50ca7ebaaa2

SHA512
3c5055e9a88b94ee2e6b623c3c380a612e7444adb81c280e6edf349b0253ef7170d1f59e256c52b60fa57f0a14b9518739105ce4d1a12f5618a19fbab699fec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
Filesize
171KB

MD5
b70d0f4c2d7f34f176ece550d76ce092

SHA1
d6ef987a7e62cc591daa3ac2054bc171dec9a159

SHA256
a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039

SHA512
d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
Filesize
171KB

MD5
b70d0f4c2d7f34f176ece550d76ce092

SHA1
d6ef987a7e62cc591daa3ac2054bc171dec9a159

SHA256
a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039

SHA512
d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
Filesize
171KB

MD5
b70d0f4c2d7f34f176ece550d76ce092

SHA1
d6ef987a7e62cc591daa3ac2054bc171dec9a159

SHA256
a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039

SHA512
d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

Download Submit
memory/1796-130-0x0000000000000000-mapping.dmp

Download
memory/4888-135-0x0000000000000000-mapping.dmp

Download
memory/4888-137-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/4888-139-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/4888-142-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing