azorult | 99d4d18e906e44d3b08aede8237928a7a6866378516bd07695f2bca4fc8a954f

General

Target

RFQ PC00056942.exe
Size

285KB
MD5

49226c62012170c00a4cccae8d61c363
SHA1

aa1af05c892e18e611f153263bd5582536243de6
SHA256

b7867882baba4d27ac04f4b537b20a90166c5d3c82247f84ed338cf7cafba649
SHA512

6a56506a92148ada8a9e0562fc6bc18c594cd4047108e9921d8d15ef5499b9628674b54ef37ed32a9c345c9c4ab43b4f983bd4ca77320da374991ef41f518da7

Score

10^/10

Family

azorult

C2

http://217.160.254.33/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ PC00056942.exe

description pid process target process

PID 1564 set thread context of 2016 1564 RFQ PC00056942.exe RFQ PC00056942.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RFQ PC00056942.exe

pid process

1564 RFQ PC00056942.exe
1564 RFQ PC00056942.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQ PC00056942.exe

description pid process

Token: SeDebugPrivilege 1564 RFQ PC00056942.exe

description	pid	process	target process
PID 1564 set thread context of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe

pid	process
1564	RFQ PC00056942.exe
1564	RFQ PC00056942.exe

description	pid	process
Token: SeDebugPrivilege	1564	RFQ PC00056942.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

RFQ PC00056942.exe

description	pid	process	target process
PID 1564 wrote to memory of 816	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 816	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 816	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 816	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2028	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2028	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2028	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2028	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe
PID 1564 wrote to memory of 2016	1564	RFQ PC00056942.exe	RFQ PC00056942.exe

C:\Users\Admin\AppData\Local\Temp\RFQ PC00056942.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ PC00056942.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\RFQ PC00056942.exe
  "{path}"
  2⤵
  PID:816
- C:\Users\Admin\AppData\Local\Temp\RFQ PC00056942.exe
  "{path}"
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\RFQ PC00056942.exe
  "{path}"
  2⤵
  PID:2016

memory/1564-54-0x00000000001F0000-0x000000000023E000-memory.dmp

Filesize
312KB

Download
memory/1564-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1564-56-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/1564-57-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/2016-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-66-0x000000000041A1F8-mapping.dmp

Download
memory/2016-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download