azorult | e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7

General

Target

e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe
Size

246KB
MD5

bc6e81255131133a0f8e9ea4cea63d1a
SHA1

c6daa783428bc85f48f5b3d906b56e13d10ec7eb
SHA256

e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7
SHA512

ee7a61c5a9af70e7970641da0d8ca904c7c5859b6e946cbbfbef9226546ebe6a51f770e25bb554151956dbe51b77fa133961612e92796e5c6b2bce655449b062

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://e4v5sa.xyz/PL341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

lwkcbv.exelwkcbv.exe

pid process

408 lwkcbv.exe
1168 lwkcbv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
408	lwkcbv.exe
1168	lwkcbv.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exelwkcbv.exe

description	pid	process	target process
PID 2776 wrote to memory of 408	2776	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe	lwkcbv.exe
PID 2776 wrote to memory of 408	2776	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe	lwkcbv.exe
PID 2776 wrote to memory of 408	2776	e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe
PID 408 wrote to memory of 1168	408	lwkcbv.exe	lwkcbv.exe

C:\Users\Admin\AppData\Local\Temp\e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe
"C:\Users\Admin\AppData\Local\Temp\e87856cc1fe76353e5ca3957aa6951f957c6d097407fcc1258ae3d72c8d923b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe C:\Users\Admin\AppData\Local\Temp\vfloigqd
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe C:\Users\Admin\AppData\Local\Temp\vfloigqd
3⤵
- Executes dropped EXE
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe

Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe

Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwkcbv.exe

Filesize
64KB

MD5
aaa2ef7131d588fa6f96a645f0bdb8a2

SHA1
800a9badf314335ea00e9926b2217a6335b106b7

SHA256
f8c14fbce31f3fc8ae816f9f6ac50c14d55a9689e0bcaf8b55152d081fd1c2a5

SHA512
492711c755b0d27463d37f72bddec36ee7c4e9510c40d122876512334a76d7e6ece09ee46b7a472e026aae0a52453e89457e88a328888ac79dd08719b2d6158b

Download Submit
C:\Users\Admin\AppData\Local\Temp\skwe7k8r3x

Filesize
111KB

MD5
226c5855242ee35ce3a51cfb3346f3bc

SHA1
25620586916cda93b377df5a86915205da0128c5

SHA256
16fe1baf817863a33b29c2b1ea1680931fb8726ee45cee1cc139cdc0a1b2a2a5

SHA512
c9e44ee820e207f55fdce7539a2f7e291e6afd9295d4a1f4558136b2e4348df4d34708371b667875836a2950af8429709541bbfa5be3d8a8d32898b0decc5197

Download Submit
C:\Users\Admin\AppData\Local\Temp\vfloigqd

Filesize
4KB

MD5
b787488b159b7291448881e6cf5cd6c4

SHA1
a5bcce8af707ca48171043eb1c3d7618ec224ba9

SHA256
c376c7e1015e220de379598025778d8b928a76453d574e4b5424dc11d3157339

SHA512
568710f6e1abd5f9bb3cf808ab4ad95d5a6a918317c9220e0d457343c86800a558e40e6dd7c51c66bada313629860c9a488dd9be134c31ccc31a1c556efd867f

Download Submit
memory/408-130-0x0000000000000000-mapping.dmp

Download
memory/1168-137-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1168-135-0x0000000000000000-mapping.dmp

Download
memory/1168-139-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/1168-142-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing