Malware Analysis Report

2025-08-10 19:44

Sample ID 220520-qwzeashbbp
Target 19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82
SHA256 19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82

Threat Level: Known bad

The file 19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-20 13:37

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 13:37

Reported

2022-05-20 14:24

Platform

win7-20220414-en

Max time kernel

36s

Max time network

41s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 13:37

Reported

2022-05-20 14:26

Platform

win10v2004-20220414-en

Max time kernel

141s

Max time network

155s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\19f50940507472ca2d33eaf199911ab9c9451e5610e6b55f7ce443b08680ca82.zip

Network

Country Destination Domain Proto
US 20.42.73.26:443 tcp
IE 20.54.110.249:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-05-20 13:37

Reported

2022-05-20 14:26

Platform

win7-20220414-en

Max time kernel

151s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 1948 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

Network

Country Destination Domain Proto
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp

Files

memory/1948-54-0x0000000076721000-0x0000000076723000-memory.dmp

memory/1928-55-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/1928-57-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/1928-64-0x00000000000DA1F8-mapping.dmp

memory/1928-66-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/1948-68-0x0000000000680000-0x00000000006B9000-memory.dmp

memory/1948-69-0x0000000000CE0000-0x0000000000D19000-memory.dmp

memory/1708-72-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/1708-79-0x000000000009A1F8-mapping.dmp

memory/1708-81-0x0000000000080000-0x00000000000A0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-05-20 13:37

Reported

2022-05-20 14:25

Platform

win10v2004-20220414-en

Max time kernel

157s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe
PID 2852 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe

"C:\Users\Admin\AppData\Local\Temp\Rabih Trading LLC Dubai.exe"

Network

Country Destination Domain Proto
DE 51.116.180.53:80 tcp
US 104.208.16.89:443 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp
DE 51.116.180.53:80 tcp

Files

memory/2852-130-0x0000000000D40000-0x0000000000D79000-memory.dmp

memory/2852-131-0x0000000001330000-0x0000000001369000-memory.dmp

memory/2776-132-0x0000000000000000-mapping.dmp

memory/2776-133-0x0000000000A80000-0x0000000000AA0000-memory.dmp

memory/2776-141-0x0000000000A80000-0x0000000000AA0000-memory.dmp

memory/1324-142-0x0000000000000000-mapping.dmp

memory/1324-143-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1324-151-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2852-152-0x0000000002460000-0x0000000002480000-memory.dmp

memory/4704-153-0x0000000000000000-mapping.dmp

memory/4704-154-0x00000000001D0000-0x00000000001F0000-memory.dmp

memory/4704-162-0x00000000001D0000-0x00000000001F0000-memory.dmp