azorult | 3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76

General

Target

3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
Size

804KB
MD5

447858b067e7e1b1cb58bc68b0360434
SHA1

ce01c8305b5fcc4877c1b2f953541bb7ca20fa7d
SHA256

3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76
SHA512

7996288777178f1f5b432d8b3b9a2bb5595c81fec9585a88dcacd0a0f23aef7834c169f1b2e830baf983834c31ce1a9d47cbbb47a33a5793caf454d05d4997cf

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://whija2.xyz/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

description	pid	process	target process
PID 5048 set thread context of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

pid	process
5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

description pid process

Token: SeDebugPrivilege 5048 3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

description	pid	process
Token: SeDebugPrivilege	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

description	pid	process	target process
PID 5048 wrote to memory of 5084	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 5084	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 5084	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
PID 5048 wrote to memory of 4324	5048	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe	3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe

C:\Users\Admin\AppData\Local\Temp\3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
"C:\Users\Admin\AppData\Local\Temp\3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
  "C:\Users\Admin\AppData\Local\Temp\3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe"
  2⤵
  PID:5084
- C:\Users\Admin\AppData\Local\Temp\3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe
  "C:\Users\Admin\AppData\Local\Temp\3ea0d5204b7f00592980a76c06e5210758c6ac6cb1bc8e90c03739d0ec8ddf76.exe"
  2⤵
  PID:4324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4324-136-0x0000000000000000-mapping.dmp

Download
memory/4324-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4324-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4324-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5048-130-0x00000000004E0000-0x00000000005B0000-memory.dmp

Filesize
832KB

Download
memory/5048-131-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/5048-132-0x0000000004F50000-0x0000000004FE2000-memory.dmp

Filesize
584KB

Download
memory/5048-133-0x0000000004FF0000-0x0000000004FFA000-memory.dmp

Filesize
40KB

Download
memory/5048-134-0x00000000072F0000-0x000000000738C000-memory.dmp

Filesize
624KB

Download
memory/5084-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads