azorult | 9665993758f1e1b1c83655a8d196c7651f1d143bf59d35e48a66eff7f6be1f53

General

Target

PI_#06875654.exe
Size

613KB
MD5

f39696f5a42d2d53c17050bbfcc5154e
SHA1

8f5b5241ffbff92bc59d5801c064b881fbdd69dc
SHA256

5dd9ce8ab0197fc220eaf0aa845f57454a2b88c95deb59acbae8e8945bb25b4f
SHA512

2eee98e43403d6740501dfe479529eb429ec300845691f8c81b38940cfa65d689fba48267abd42ed7f3532646b4f714a0fbba230871cced7fc9b8d6bc67f3f28

Score

10^/10

azorult infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 4 IoCs

Processes:

PI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exe

description	pid	process	target process
PID 1840 set thread context of 3296	1840	PI_#06875654.exe	PI_#06875654.exe
PID 2020 set thread context of 4332	2020	PI_#06875654.exe	PI_#06875654.exe
PID 4252 set thread context of 2572	4252	PI_#06875654.exe	PI_#06875654.exe
PID 2448 set thread context of 3164	2448	PI_#06875654.exe	PI_#06875654.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PI_#06875654.exePI_#06875654.exe

pid	process
1840	PI_#06875654.exe
1840	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe
2912	PI_#06875654.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

PI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exe

pid process

1840 PI_#06875654.exe
2020 PI_#06875654.exe
4252 PI_#06875654.exe
2448 PI_#06875654.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

PI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exePI_#06875654.exe

description	pid	process	target process
PID 1840 wrote to memory of 3296	1840	PI_#06875654.exe	PI_#06875654.exe
PID 1840 wrote to memory of 3296	1840	PI_#06875654.exe	PI_#06875654.exe
PID 1840 wrote to memory of 3296	1840	PI_#06875654.exe	PI_#06875654.exe
PID 1840 wrote to memory of 2912	1840	PI_#06875654.exe	PI_#06875654.exe
PID 1840 wrote to memory of 2912	1840	PI_#06875654.exe	PI_#06875654.exe
PID 1840 wrote to memory of 2912	1840	PI_#06875654.exe	PI_#06875654.exe
PID 2912 wrote to memory of 2020	2912	PI_#06875654.exe	PI_#06875654.exe
PID 2912 wrote to memory of 2020	2912	PI_#06875654.exe	PI_#06875654.exe
PID 2912 wrote to memory of 2020	2912	PI_#06875654.exe	PI_#06875654.exe
PID 2020 wrote to memory of 4332	2020	PI_#06875654.exe	PI_#06875654.exe
PID 2020 wrote to memory of 4332	2020	PI_#06875654.exe	PI_#06875654.exe
PID 2020 wrote to memory of 4332	2020	PI_#06875654.exe	PI_#06875654.exe
PID 2020 wrote to memory of 4280	2020	PI_#06875654.exe	PI_#06875654.exe
PID 2020 wrote to memory of 4280	2020	PI_#06875654.exe	PI_#06875654.exe
PID 2020 wrote to memory of 4280	2020	PI_#06875654.exe	PI_#06875654.exe
PID 4280 wrote to memory of 4252	4280	PI_#06875654.exe	PI_#06875654.exe
PID 4280 wrote to memory of 4252	4280	PI_#06875654.exe	PI_#06875654.exe
PID 4280 wrote to memory of 4252	4280	PI_#06875654.exe	PI_#06875654.exe
PID 4252 wrote to memory of 2572	4252	PI_#06875654.exe	PI_#06875654.exe
PID 4252 wrote to memory of 2572	4252	PI_#06875654.exe	PI_#06875654.exe
PID 4252 wrote to memory of 2572	4252	PI_#06875654.exe	PI_#06875654.exe
PID 4252 wrote to memory of 3044	4252	PI_#06875654.exe	PI_#06875654.exe
PID 4252 wrote to memory of 3044	4252	PI_#06875654.exe	PI_#06875654.exe
PID 4252 wrote to memory of 3044	4252	PI_#06875654.exe	PI_#06875654.exe
PID 3044 wrote to memory of 2448	3044	PI_#06875654.exe	PI_#06875654.exe
PID 3044 wrote to memory of 2448	3044	PI_#06875654.exe	PI_#06875654.exe
PID 3044 wrote to memory of 2448	3044	PI_#06875654.exe	PI_#06875654.exe
PID 2448 wrote to memory of 3164	2448	PI_#06875654.exe	PI_#06875654.exe
PID 2448 wrote to memory of 3164	2448	PI_#06875654.exe	PI_#06875654.exe
PID 2448 wrote to memory of 3164	2448	PI_#06875654.exe	PI_#06875654.exe
PID 2448 wrote to memory of 2244	2448	PI_#06875654.exe	PI_#06875654.exe
PID 2448 wrote to memory of 2244	2448	PI_#06875654.exe	PI_#06875654.exe
PID 2448 wrote to memory of 2244	2448	PI_#06875654.exe	PI_#06875654.exe

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
2⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3296 240540375
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
4⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 4332 240582953
4⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
6⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 2572 240625312
6⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2448

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe"
8⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe
"C:\Users\Admin\AppData\Local\Temp\PI_#06875654.exe" 2 3164 240667703
8⤵
PID:2244

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1840-132-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2020-134-0x0000000000000000-mapping.dmp

Download
memory/2020-137-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2244-146-0x0000000000000000-mapping.dmp

Download
memory/2244-148-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2448-144-0x0000000000000000-mapping.dmp

Download
memory/2448-147-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2572-140-0x0000000000000000-mapping.dmp

Download
memory/2912-133-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/2912-131-0x0000000000000000-mapping.dmp

Download
memory/3044-141-0x0000000000000000-mapping.dmp

Download
memory/3044-143-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/3164-145-0x0000000000000000-mapping.dmp

Download
memory/3296-130-0x0000000000000000-mapping.dmp

Download
memory/4252-142-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4252-139-0x0000000000000000-mapping.dmp

Download
memory/4280-138-0x0000000000400000-0x00000000004A1000-memory.dmp

Filesize
644KB

Download
memory/4280-136-0x0000000000000000-mapping.dmp

Download
memory/4332-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads