azorult | abb8146908e34fbd71e48b8923e734b496e9957cf850674659f1a591bf2000c2

General

Target

PICTURE FOR ILLUSTRATION.exe
Size

212KB
MD5

025030d30646897352afc77898f4014b
SHA1

cb6edbf932827a5d92b39e74cbd1f3c7992fa1f1
SHA256

229aaa16670e60669a955690e0104fdd3e0e2621974b11d6dbb9804aea38f963
SHA512

58cb66cc15886a67af396342fec8a7923a78818103b967d853944c9640768cae5624dc04ee821c9f9142b2bcb9887477de202538ba06a7f8ee8ddc5771da3d1e

Score

10^/10

Family

azorult

C2

http://217.160.246.104/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

Processes:

resource	yara_rule
behavioral1/memory/892-56-0x0000000000D20000-0x0000000000D4A000-memory.dmp	rezer0

Suspicious use of SetThreadContext 1 IoCs

Processes:

PICTURE FOR ILLUSTRATION.exe

description pid process target process

PID 892 set thread context of 1736 892 PICTURE FOR ILLUSTRATION.exe PICTURE FOR ILLUSTRATION.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

PICTURE FOR ILLUSTRATION.exe

pid process

892 PICTURE FOR ILLUSTRATION.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PICTURE FOR ILLUSTRATION.exe

description pid process

Token: SeDebugPrivilege 892 PICTURE FOR ILLUSTRATION.exe

description	pid	process	target process
PID 892 set thread context of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe

pid	process
892	PICTURE FOR ILLUSTRATION.exe

description	pid	process
Token: SeDebugPrivilege	892	PICTURE FOR ILLUSTRATION.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

PICTURE FOR ILLUSTRATION.exe

description	pid	process	target process
PID 892 wrote to memory of 836	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 836	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 836	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 836	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe
PID 892 wrote to memory of 1736	892	PICTURE FOR ILLUSTRATION.exe	PICTURE FOR ILLUSTRATION.exe

C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"{path}"
2⤵
PID:836

C:\Users\Admin\AppData\Local\Temp\PICTURE FOR ILLUSTRATION.exe
"{path}"
2⤵
PID:1736

memory/892-54-0x0000000000DA0000-0x0000000000DDC000-memory.dmp

Filesize
240KB

Download
memory/892-55-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/892-56-0x0000000000D20000-0x0000000000D4A000-memory.dmp

Filesize
168KB

Download
memory/1736-57-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1736-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1736-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1736-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1736-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1736-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1736-65-0x000000000041A1F8-mapping.dmp

Download
memory/1736-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1736-68-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1736-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download