Malware Analysis Report

2025-08-05 14:30

Sample ID 220523-b8p9tseghl
Target 72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
SHA256 72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31

Threat Level: Known bad

The file 72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-23 01:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win7-20220414-en

Max time kernel

61s

Max time network

67s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 532 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe

"C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe"

C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe

"C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bl1we4t.xyz udp
US 8.8.8.8:53 bl1we4t.xyz udp

Files

memory/532-54-0x0000000000D10000-0x0000000000DA2000-memory.dmp

memory/532-55-0x0000000075711000-0x0000000075713000-memory.dmp

memory/532-56-0x00000000005E0000-0x00000000005EA000-memory.dmp

memory/532-57-0x0000000004370000-0x00000000043D6000-memory.dmp

memory/532-58-0x0000000000B00000-0x0000000000B22000-memory.dmp

memory/860-59-0x0000000000400000-0x0000000000420000-memory.dmp

memory/860-60-0x0000000000400000-0x0000000000420000-memory.dmp

memory/860-62-0x0000000000400000-0x0000000000420000-memory.dmp

memory/860-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/860-64-0x0000000000400000-0x0000000000420000-memory.dmp

memory/860-66-0x0000000000400000-0x0000000000420000-memory.dmp

memory/860-67-0x000000000041A684-mapping.dmp

memory/860-69-0x0000000000400000-0x0000000000420000-memory.dmp

memory/860-71-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win10v2004-20220414-en

Max time kernel

113s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe
PID 4472 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe

"C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe"

C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe

"C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe"

C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe

"C:\Users\Admin\AppData\Local\Temp\72dd053427dd0cc5c78f9ee5a9d8a2e9381855a17b7e32ad63e760893240fa31.exe"

Network

Country Destination Domain Proto
US 52.109.12.18:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 bl1we4t.xyz udp
US 8.8.8.8:53 bl1we4t.xyz udp
US 209.197.3.8:80 tcp
US 52.168.117.170:443 tcp

Files

memory/4472-130-0x0000000000840000-0x00000000008D2000-memory.dmp

memory/4472-131-0x0000000005960000-0x0000000005F04000-memory.dmp

memory/4472-132-0x00000000052A0000-0x0000000005332000-memory.dmp

memory/4472-133-0x0000000005280000-0x000000000528A000-memory.dmp

memory/4472-134-0x0000000008CF0000-0x0000000008D8C000-memory.dmp

memory/4472-135-0x0000000009180000-0x00000000091E6000-memory.dmp

memory/3108-136-0x0000000000000000-mapping.dmp

memory/4288-137-0x0000000000000000-mapping.dmp

memory/4288-138-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4288-140-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4288-141-0x0000000000400000-0x0000000000420000-memory.dmp