azorult | b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a

General

Target

b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
Size

589KB
MD5

f04791f80ce74a9702ecda811fca7edf
SHA1

33e5c4fd1858bf56c91586ce72daa6029039e23d
SHA256

b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a
SHA512

6fe47afdc7485b6ae7287070f66a0d3831a8cdc82b0a3c96281ad80a45d9c4361023d61cf2f382fda4d916f5c1681a3359e9a5567270af782bd26a2a08ab7974

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://89.43.107.198/mpom/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

ufzxfyzp.exeufzxfyzp.exe

pid process

2744 ufzxfyzp.exe
2700 ufzxfyzp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2744	ufzxfyzp.exe
2700	ufzxfyzp.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exeufzxfyzp.exe

description	pid	process	target process
PID 2120 wrote to memory of 2744	2120	b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe	ufzxfyzp.exe
PID 2120 wrote to memory of 2744	2120	b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe	ufzxfyzp.exe
PID 2120 wrote to memory of 2744	2120	b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe
PID 2744 wrote to memory of 2700	2744	ufzxfyzp.exe	ufzxfyzp.exe

C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
3⤵
- Executes dropped EXE
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5sya
Filesize
214KB

MD5
664dc99256a895e016c2a583aa186011

SHA1
d543975302871a614057d02e12c3531698c0b706

SHA256
67f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939

SHA512
37799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml
Filesize
4KB

MD5
d794073cea5c25016fc9e10d9d561d3b

SHA1
0a864adb3a08b19cbadb52f70281c1a48ef62a90

SHA256
850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2

SHA512
cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
Filesize
171KB

MD5
1398f625da2ce1ea75874863a150ed27

SHA1
36f3466a87ba1d195658d4fda7dc724b7ccfbca5

SHA256
7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

SHA512
b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
Filesize
171KB

MD5
1398f625da2ce1ea75874863a150ed27

SHA1
36f3466a87ba1d195658d4fda7dc724b7ccfbca5

SHA256
7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

SHA512
b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
Filesize
171KB

MD5
1398f625da2ce1ea75874863a150ed27

SHA1
36f3466a87ba1d195658d4fda7dc724b7ccfbca5

SHA256
7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f

SHA512
b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

Download Submit
memory/2700-135-0x0000000000000000-mapping.dmp

Download
memory/2700-137-0x0000000000D50000-0x0000000000D70000-memory.dmp

Filesize
128KB

Download
memory/2700-139-0x0000000000D50000-0x0000000000D70000-memory.dmp

Filesize
128KB

Download
memory/2700-142-0x0000000000D50000-0x0000000000D70000-memory.dmp

Filesize
128KB

Download
memory/2744-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing