azorult | ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899

General

Target

ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
Size

405KB
MD5

e7993154a6aaf11628634216d9228ab6
SHA1

eaa844a817fd4dde1ba6c4138dfa4966f7937fd7
SHA256

ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899
SHA512

c1c9f91292996b997545c62083895e97693c6d46f32220c63e37984e2e725dc9cd276d0bff4a71b2a5b6adeb06520ac33e6c2d231c23a1573fd2e2931a88ef27

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://46.183.223.118/chido/Panel/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2004 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

pid process

1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

pid	process
2004	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

description	pid	process	target process
PID 1376 set thread context of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

pid	process
1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

description pid process

Token: SeDebugPrivilege 1376 ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

description	pid	process
Token: SeDebugPrivilege	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe

description	pid	process	target process
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe
PID 1376 wrote to memory of 2004	1376	ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe
"C:\Users\Admin\AppData\Local\Temp\ed1b87ee67f17d07ffded59e2f27e583b23cae2b21a3ea47cff0bf277d743899.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
20KB

MD5
54a47f6b5e09a77e61649109c6a08866

SHA1
4af001b3c3816b860660cf2de2c0fd3c1dfb4878

SHA256
121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2

SHA512
88ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419

Download Submit
memory/1376-58-0x0000000000810000-0x0000000000816000-memory.dmp

Filesize
24KB

Download
memory/1376-55-0x0000000000540000-0x0000000000570000-memory.dmp

Filesize
192KB

Download
memory/1376-54-0x0000000000220000-0x000000000028C000-memory.dmp

Filesize
432KB

Download
memory/1376-56-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/1376-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2004-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-68-0x000000000041A1F8-mapping.dmp

Download
memory/2004-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads