Analysis Overview
SHA256
4be254737e7b1971585ad23913a73d534a260a864a758253ef134d30b103da1e
Threat Level: Known bad
The file 4be254737e7b1971585ad23913a73d534a260a864a758253ef134d30b103da1e was found to be: Known bad.
Malicious Activity Summary
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
Azorult
Suspicious use of SetThreadContext
AutoIT Executable
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-20 13:37
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:18
Platform
win7-20220414-en
Max time kernel
149s
Max time network
159s
Command Line
Signatures
Azorult
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
Files
memory/1348-54-0x0000000076531000-0x0000000076533000-memory.dmp
memory/904-55-0x0000000000400000-0x0000000000420000-memory.dmp
memory/904-57-0x0000000000400000-0x0000000000420000-memory.dmp
memory/904-64-0x000000000041A1F8-mapping.dmp
memory/904-66-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1348-68-0x0000000000520000-0x0000000000559000-memory.dmp
memory/1348-69-0x0000000000560000-0x0000000000599000-memory.dmp
memory/1072-79-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q42AHYH8.txt
| MD5 | da96cf93da0ba0c9ec9a513fdf52eb3b |
| SHA1 | b0a2ce83702b970e30c169a8c05a999637ace607 |
| SHA256 | 4ecdb26d3232ecb561649aef535f01198c6f6dc9ac5ecd2ea619adbf7338f500 |
| SHA512 | 0f39b9b49bb0fbd70f6fa5d73ee351ba2f5f702c8fb261c46a5cc7568b080665b3568652d4242fae12b685cce4d9f9bd47dac672f0b6ebebf9572032e551d8d3 |
memory/1892-93-0x000000000041A1F8-mapping.dmp
memory/1820-99-0x0000000000080000-0x00000000000A0000-memory.dmp
memory/1820-106-0x000000000009A1F8-mapping.dmp
memory/1820-108-0x0000000000080000-0x00000000000A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PMVPO0R7.txt
| MD5 | bcb3502fb8e5433c906767cefdcffd14 |
| SHA1 | c22bd35f7eda5c745f67859af72b00606f1205e1 |
| SHA256 | 9eed1abfff7460e94bdb95e25b753481132ecba70d03ffcedad8d627a0e0b44d |
| SHA512 | 03d010924498e9cec57f774929a602df168820cd416a8cd1d254d3c2ffb35e4cc3eb1a6a6da67a061c8b09d701c401ac5aa253515f147846fc83139e43e09492 |
memory/1348-111-0x00000000026C0000-0x0000000002802000-memory.dmp
memory/612-121-0x000000000009A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MXUXAYFI.txt
| MD5 | db095da5aecf4bc4abd5cb164095897b |
| SHA1 | 328742e9a900a6a21d8b32c86bc925cef82b32a7 |
| SHA256 | 990636080d8ccc386ee6d34128fa63c15c1591ac6721c792115cfd8febc9d380 |
| SHA512 | 54ff89e9d54ebffc26c21e588fd2a8ef7ae513dce089705990d2aa11b54100a59f60ec628f811eda1828f23a165dc7d657bdaaa6fc51ef81416201e5eb2a5998 |
memory/1704-135-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E2O2JG5B.txt
| MD5 | e5d797ceb29ca9b6528832cd61be5121 |
| SHA1 | 01cab6d6e1e39a1dfe1ee70d7f69530d7c2105b0 |
| SHA256 | adc332afa1205511cb876fe4bed1cec90e00c24615900694bfcf52d8396f61c1 |
| SHA512 | bf457acdf580b934c86c70d37b8fa18740c54d62223ffe80e3fa9c84e5901fd6da04280ab250eb82ffc91ae0d384e24f0d21bca1159cb558a96775dcdf34e26c |
memory/1388-149-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BV8OQTNO.txt
| MD5 | b5658f0be2a5b0d6ddf728389b93c014 |
| SHA1 | d897cf2c1ab44ebf49020bcec7458c5c2595728a |
| SHA256 | 881ca64436a9bd8d2ef6614a0ed22aef93f1ba1969e3b87225aa8b7250d30a73 |
| SHA512 | eb463a2a0e116016354ad82ef7cfb7100213774a58994d127ba98811a94b54c76373415b9bbf333fa346b640900d3064c0c0dc401ee1ea4e050e59fc07b65383 |
memory/1428-163-0x000000000009A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BP3J0MZ.txt
| MD5 | e7f1d1f614397da9b9e557f8f2eaead6 |
| SHA1 | 7e0651e2c7386bcb78b851805c567e0e68322004 |
| SHA256 | ff46e5bcaca80a46b9295998ba083238af55243107728168f469732bb0fd6639 |
| SHA512 | b70ac9e3f6f12bb9fcb7ba5cee5ebdf7048dc04a8e63c14fd81ab3983075f69ecea8f0cc6520f9f7b19eac4a80e3a3696caa3a7a4de48cfdcb9cee53eff9cf92 |
memory/1884-177-0x000000000009A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CD3J98KK.txt
| MD5 | 91b768cade3d39f4af5673810bedbb58 |
| SHA1 | f205262262b304bcc12cf69996ccb16b051ef161 |
| SHA256 | 53a1143fb41cca9271dd17490163ac93049bd04d6a86812bacb87bb294811dd8 |
| SHA512 | d2daa04c1423dc83e079fe8ef378e9ca08eda7623df3f23e1423b64fe8af6f0ac21fa61cf085d933d067d17fd9eba6873a9f74e8bfe8e97fc2259dbc3505c485 |
memory/316-191-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PEQN54TW.txt
| MD5 | 995f2f14c4ca172c0524c506097b59ec |
| SHA1 | 57bd709e5ffcc01f685757abe9cd4ce668b90068 |
| SHA256 | c2df64526f4efdd29d4e0344c552736fd07125af9bfde72df8ee67952a369c1e |
| SHA512 | 963399f167dd418e2f2b7dda40587b8fdd6b926679b732963206319065858deec3b81c4114284e285ab1d0b744b46a065678939450f0965002f59497e4ffd768 |
memory/1728-205-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X805Z13R.txt
| MD5 | 4b4cca9df512bbda0d72dc63bd7837d4 |
| SHA1 | cdd9a5394af7b02a6a03479ae5f58b185f078ca4 |
| SHA256 | 7b70e1efcf5678581b44abbeffce5d30b598e3afd790c031f9af0b259b62a440 |
| SHA512 | ae754487c79e005dd985b68ef4f623b531ffaf6ad5db4baed00127fd64285e7c7e9cdc678cafab3a3b20eadcf1a473936f9aa65c1d2d6b24ab79bdecf3f6072a |
memory/1936-219-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7VSL9F9E.txt
| MD5 | c6c9c9062caf4a46e77102263e343d56 |
| SHA1 | 171979bfe35857c1608e34c3e98b08a158a61520 |
| SHA256 | b97c5d1f09f4475e8fb390c2ebef4291d4727551f8a71a7f298e90d31899bb20 |
| SHA512 | 477022f8e0692c9e2a96676fd498c4cebf8d0669b1aa2af8f0e768f19a4e7bbc6177941d9de0ecd1099895154aa4fc425197bc18032d7e73666592c6dfd8d0c3 |
memory/1128-233-0x000000000009A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OXBC07B7.txt
| MD5 | a88b3bc6e3a1f930219422843ca1e1e5 |
| SHA1 | 99bc719d75acb4aa447ffe54decf71c00f571f0c |
| SHA256 | 3447ffc7e0accc3675e458aafe62ec8955d3f71d6bb341a98420dce470682d11 |
| SHA512 | 9a61477f3950d88d9960ef3115753585f1535e0ecb95a839978bb07784900147a2b245b85b7ec00e068cad15566276a8301e2c28cb0be1cb1c0d768a8ad7e44a |
memory/1240-247-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9M4BG4HP.txt
| MD5 | 2ea62a472e4b845b629ef6e3999fead1 |
| SHA1 | 6bb6705594236f2817f0017b7f2e38221d32c9c0 |
| SHA256 | 821969c5c8dfc6918c424aa38db5675c3d2efb0ea2f1883616ced6aee9f9f546 |
| SHA512 | 500da45ede07ba2cfc4f05097c1c352b525ac353b9b6fc7c925f6c76d83cb3b029275cb692dc36e9995aa7895767dfb7da53fc6cf3e11e282554f977351c39e9 |
memory/1648-261-0x000000000041A1F8-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DP3K9PQH.txt
| MD5 | c688506438589077e98dcc2aaa3ab5b8 |
| SHA1 | 1b6d3e4ea2da3d6d918eb61c80a9110180154bce |
| SHA256 | b115f3cd132e9f8f6923802bf001c78d2da7ef126b774fd559f1de2cd8bd1dd8 |
| SHA512 | 6cb0fd9e8ffe5d06e08d374b5a84ff8250dba9c0f1c5a7b6d34bc774b375bf8ecd136475fe29e0f92a57ca1e14590e0dda1b3a778c3c630c52c32f6f0120588c |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-20 13:37
Reported
2022-05-20 14:18
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
Azorult
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M13
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe
"C:\Users\Admin\AppData\Local\Temp\NSL SUGARS LTD UNIT.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| DE | 49.12.98.113:80 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
| DE | 49.12.98.113:80 | 49.12.98.113 | tcp |
Files
memory/2796-130-0x0000000004030000-0x0000000004069000-memory.dmp
memory/2796-131-0x0000000004070000-0x00000000040A9000-memory.dmp
memory/4124-132-0x0000000000000000-mapping.dmp
memory/4124-133-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4124-141-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4304-142-0x0000000000000000-mapping.dmp
memory/4304-143-0x00000000004B0000-0x00000000004D0000-memory.dmp
memory/4304-151-0x00000000004B0000-0x00000000004D0000-memory.dmp
memory/3628-152-0x0000000000000000-mapping.dmp
memory/2464-162-0x0000000000000000-mapping.dmp
memory/1184-172-0x0000000000000000-mapping.dmp
memory/2516-182-0x0000000000000000-mapping.dmp
memory/2796-192-0x00000000015C0000-0x00000000015E0000-memory.dmp
memory/4060-193-0x0000000000000000-mapping.dmp
memory/1372-203-0x0000000000000000-mapping.dmp
memory/4012-213-0x0000000000000000-mapping.dmp
memory/3368-223-0x0000000000000000-mapping.dmp
memory/3740-233-0x0000000000000000-mapping.dmp
memory/2264-243-0x0000000000000000-mapping.dmp
memory/3840-253-0x0000000000000000-mapping.dmp