Malware Analysis Report

2025-08-05 14:30

Sample ID 220523-b8pnasbdf2
Target fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
SHA256 fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a

Threat Level: Known bad

The file fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-23 01:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:56

Platform

win7-20220414-en

Max time kernel

73s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 1652 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe

"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"

C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe

"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 e4v5sa.xyz udp
US 8.8.8.8:53 e4v5sa.xyz udp

Files

memory/1652-54-0x0000000001130000-0x0000000001204000-memory.dmp

memory/1652-55-0x0000000076461000-0x0000000076463000-memory.dmp

memory/1652-56-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1652-57-0x0000000006080000-0x0000000006124000-memory.dmp

memory/1652-58-0x0000000000B20000-0x0000000000B82000-memory.dmp

memory/1336-60-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-59-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-62-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-64-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-67-0x000000000041A684-mapping.dmp

memory/1336-66-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-69-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1336-71-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win10v2004-20220414-en

Max time kernel

104s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"

Signatures

Azorult

trojan infostealer azorult

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe
PID 3692 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe

"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"

C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe

"C:\Users\Admin\AppData\Local\Temp\fd91dbad2d19d5d622b97cb01a25d79748358664a5d26c7a81fd9031ece7777a.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 e4v5sa.xyz udp
US 8.8.8.8:53 e4v5sa.xyz udp

Files

memory/3692-130-0x00000000001A0000-0x0000000000274000-memory.dmp

memory/3692-131-0x0000000005220000-0x00000000057C4000-memory.dmp

memory/3692-132-0x0000000004C70000-0x0000000004D02000-memory.dmp

memory/3692-133-0x0000000004D10000-0x0000000004DAC000-memory.dmp

memory/3692-134-0x00000000027D0000-0x00000000027DA000-memory.dmp

memory/3692-135-0x0000000008B50000-0x0000000008BB6000-memory.dmp

memory/3168-136-0x0000000000000000-mapping.dmp

memory/3168-137-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3168-139-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3168-140-0x0000000000400000-0x0000000000420000-memory.dmp