azorult | 56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6

General

Target

56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe
Size

334KB
MD5

42639236c1ca97250de87dcde78f7644
SHA1

5dadcb3d8b5723a92dc1d89d7be1a264b1cb9c23
SHA256

56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6
SHA512

d9eea40eb53af409ec4ee204eba57a733ae78632924d951c543ead32e8c7624136debdab25681ca616d38f7b1c0cc367b883c359d978d6f6a1b11bd53ddbc832

Score

10^/10

azorult infostealer suricata trojan

Malware Config

Extracted

Family

azorult

C2

http://2.56.59.31/myown/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata
Executes dropped EXE 2 IoCs

Processes:

ywazffher.exeywazffher.exe

pid process

3564 ywazffher.exe
4640 ywazffher.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3564	ywazffher.exe
4640	ywazffher.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exeywazffher.exe

description	pid	process	target process
PID 3888 wrote to memory of 3564	3888	56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe	ywazffher.exe
PID 3888 wrote to memory of 3564	3888	56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe	ywazffher.exe
PID 3888 wrote to memory of 3564	3888	56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe
PID 3564 wrote to memory of 4640	3564	ywazffher.exe	ywazffher.exe

C:\Users\Admin\AppData\Local\Temp\56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe
"C:\Users\Admin\AppData\Local\Temp\56dedd515106bc5df8a08625e59d5b0613c01909574c57c0cf7ed391640030c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Local\Temp\ywazffher.exe
C:\Users\Admin\AppData\Local\Temp\ywazffher.exe C:\Users\Admin\AppData\Local\Temp\irnxafuxa
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\ywazffher.exe
C:\Users\Admin\AppData\Local\Temp\ywazffher.exe C:\Users\Admin\AppData\Local\Temp\irnxafuxa
3⤵
- Executes dropped EXE
PID:4640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\irnxafuxa
Filesize
4KB

MD5
f8ee716f57cda999998dbd7305d441d4

SHA1
b140aad0ff9fcaec6c0049718e7c7fc8d3afb203

SHA256
3df94ca7c6d557878f87a10ccfa218085fbf1ae3bac24b73d761fb7c813d5647

SHA512
f775b5a89a3363b4ce4d4a1f7abf6af7a44ac5f31af6f10501323b82cbed775524bb3126d4d62a5be62a88a3d584d06c9aa61ddc90793e71ce81c057817eaffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pehmgcrtqx2kbc
Filesize
210KB

MD5
2e431dd2a1d51b85c97a51363ccdfed9

SHA1
155964866dfc8bff22f3c40de307a307b9333115

SHA256
72850a625327e09ede65dd8adf513974b923656366bb06d83c9b3c88a8d5eea0

SHA512
57d794f8cd30ff7a6d4ba71f24768e6261803281de247440bec9c6291a125e179d8aa29294eeecff2c11c30d2e9aa71b55eb8e159b692ca3f227c626356e4976

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywazffher.exe
Filesize
162KB

MD5
ef9193e0462fcf1fd016952f58e2b749

SHA1
48d90f8fcd61ea6423056ace4627cece3ce879dc

SHA256
32c76da994a20f40bae3b97dee9b4a47d23855ee716736348d29a653ee4e62ee

SHA512
6be39b59a0d5d57b848bc0de74beba1dbce153275dc235b1f872af08f1b2b4d6f3cdd25d636835a386817f59d9d94c176357fb6623b9d9e936d6cfe4a7bf90af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywazffher.exe
Filesize
162KB

MD5
ef9193e0462fcf1fd016952f58e2b749

SHA1
48d90f8fcd61ea6423056ace4627cece3ce879dc

SHA256
32c76da994a20f40bae3b97dee9b4a47d23855ee716736348d29a653ee4e62ee

SHA512
6be39b59a0d5d57b848bc0de74beba1dbce153275dc235b1f872af08f1b2b4d6f3cdd25d636835a386817f59d9d94c176357fb6623b9d9e936d6cfe4a7bf90af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywazffher.exe
Filesize
162KB

MD5
ef9193e0462fcf1fd016952f58e2b749

SHA1
48d90f8fcd61ea6423056ace4627cece3ce879dc

SHA256
32c76da994a20f40bae3b97dee9b4a47d23855ee716736348d29a653ee4e62ee

SHA512
6be39b59a0d5d57b848bc0de74beba1dbce153275dc235b1f872af08f1b2b4d6f3cdd25d636835a386817f59d9d94c176357fb6623b9d9e936d6cfe4a7bf90af

Download Submit
memory/3564-130-0x0000000000000000-mapping.dmp

Download
memory/4640-135-0x0000000000000000-mapping.dmp

Download
memory/4640-137-0x0000000000F80000-0x0000000000FA0000-memory.dmp

Filesize
128KB

Download
memory/4640-139-0x0000000000F80000-0x0000000000FA0000-memory.dmp

Filesize
128KB

Download
memory/4640-142-0x0000000000F80000-0x0000000000FA0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing