Malware Analysis Report

2025-08-10 19:43

Sample ID 220520-rv3wrsgeb4
Target 830adc147fe70810ce5c8fae67563dbb92735ec2cd78c58705758dbd220ef595
SHA256 830adc147fe70810ce5c8fae67563dbb92735ec2cd78c58705758dbd220ef595
Tags
azorult infostealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

830adc147fe70810ce5c8fae67563dbb92735ec2cd78c58705758dbd220ef595

Threat Level: Known bad

The file 830adc147fe70810ce5c8fae67563dbb92735ec2cd78c58705758dbd220ef595 was found to be: Known bad.

Malicious Activity Summary

azorult infostealer suricata trojan

Azorult

suricata: ET MALWARE AZORult Variant.4 Checkin M2

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-20 14:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 14:31

Reported

2022-05-20 15:45

Platform

win7-20220414-en

Max time kernel

39s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Signatures

Azorult

trojan infostealer azorult

suricata: ET MALWARE AZORult Variant.4 Checkin M2

suricata

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6

suricata

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 904 N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Network

Country Destination Domain Proto
FR 51.210.159.130:80 51.210.159.130 tcp

Files

memory/1904-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

memory/1904-56-0x0000000000650000-0x0000000000662000-memory.dmp

memory/904-57-0x000000000041A1F8-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 14:31

Reported

2022-05-20 15:45

Platform

win10v2004-20220414-en

Max time kernel

154s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Signatures

Azorult

trojan infostealer azorult

suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M14

suricata

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3984 set thread context of 4412 N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Company Profile.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

C:\Users\Admin\AppData\Local\Temp\Company Profile.exe

"C:\Users\Admin\AppData\Local\Temp\Company Profile.exe"

Network

Country Destination Domain Proto
NL 8.248.1.254:80 tcp
US 52.168.112.67:443 tcp
FR 51.210.159.130:80 51.210.159.130 tcp
IE 20.54.110.249:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.80:80 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.73:443 tcp
NL 20.190.160.67:443 tcp
US 52.242.97.97:443 tcp
NL 20.190.160.67:443 tcp
NL 20.190.160.2:443 tcp
NL 20.190.160.67:443 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
NL 20.190.160.2:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.2:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
NL 20.190.160.2:443 tcp
NL 20.190.160.136:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.136:443 tcp
US 8.8.8.8:53 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
NL 20.190.160.136:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.129:443 tcp
NL 20.190.160.6:443 tcp
NL 20.190.160.6:443 tcp

Files

memory/3984-131-0x0000000003FA0000-0x0000000003FB2000-memory.dmp

memory/4412-132-0x0000000000000000-mapping.dmp