Malware Analysis Report

2025-08-10 19:44

Sample ID 220520-rtqvtabdaj
Target eb5c42c60c0920dbd637295b097801bb65b209f2c362dcdd0a8816dd27169bc6
SHA256 eb5c42c60c0920dbd637295b097801bb65b209f2c362dcdd0a8816dd27169bc6
Tags
azorult infostealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb5c42c60c0920dbd637295b097801bb65b209f2c362dcdd0a8816dd27169bc6

Threat Level: Known bad

The file eb5c42c60c0920dbd637295b097801bb65b209f2c362dcdd0a8816dd27169bc6 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer suricata trojan

Azorult

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-20 14:29

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 14:29

Reported

2022-05-20 16:03

Platform

win10v2004-20220414-en

Max time kernel

88s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Signatures

Azorult

trojan infostealer azorult

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14

suricata

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2924 set thread context of 3328 N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Network

Country Destination Domain Proto
NL 52.109.88.35:443 tcp
IE 20.50.80.209:443 tcp
FR 51.83.105.108:80 51.83.105.108 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

memory/2924-131-0x0000000002470000-0x0000000002482000-memory.dmp

memory/3328-132-0x0000000000000000-mapping.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 14:29

Reported

2022-05-20 16:03

Platform

win7-20220414-en

Max time kernel

35s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Signatures

Azorult

trojan infostealer azorult

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M4

suricata

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 560 set thread context of 904 N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Network

Country Destination Domain Proto
FR 51.83.105.108:80 51.83.105.108 tcp

Files

memory/560-54-0x00000000753E1000-0x00000000753E3000-memory.dmp

memory/560-56-0x0000000001FE0000-0x0000000001FF2000-memory.dmp

memory/904-57-0x000000000041A1F8-mapping.dmp