Malware Analysis Report

2025-08-05 14:29

Sample ID 220523-b8pnaseggm
Target 69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
SHA256 69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a
Tags
azorult infostealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a

Threat Level: Known bad

The file 69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer suricata trojan

Azorult

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15

Suspicious use of SetThreadContext

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-23 01:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:56

Platform

win7-20220414-en

Max time kernel

56s

Max time network

66s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

Signatures

Azorult

trojan infostealer azorult

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

suricata

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1944 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Windows\SysWOW64\WerFault.exe
PID 1760 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 756

Network

Country Destination Domain Proto
NL 62.197.136.186:80 62.197.136.186 tcp

Files

memory/1944-54-0x0000000001290000-0x000000000138E000-memory.dmp

memory/1944-55-0x0000000076171000-0x0000000076173000-memory.dmp

memory/1944-56-0x0000000000C00000-0x0000000000C1A000-memory.dmp

memory/1944-57-0x0000000008000000-0x00000000080EA000-memory.dmp

memory/1944-58-0x0000000000DC0000-0x0000000000DE2000-memory.dmp

memory/1760-59-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-60-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-62-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-63-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-64-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-67-0x000000000041A684-mapping.dmp

memory/1760-66-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-69-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1760-71-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1096-72-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win10v2004-20220414-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

Signatures

Azorult

trojan infostealer azorult

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M15

suricata

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe
PID 1820 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe

"C:\Users\Admin\AppData\Local\Temp\69d0885e1490db820cfa69e85ee79f0fa96375c65b32606c3fa2a6edfe19cf1a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 996

Network

Country Destination Domain Proto
US 52.109.8.21:443 tcp
US 20.42.72.131:443 tcp
NL 62.197.136.186:80 62.197.136.186 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 52.109.8.20:443 tcp

Files

memory/1820-130-0x0000000000870000-0x000000000096E000-memory.dmp

memory/1820-131-0x00000000059F0000-0x0000000005F94000-memory.dmp

memory/1820-132-0x0000000005300000-0x0000000005392000-memory.dmp

memory/1820-133-0x00000000053B0000-0x00000000053BA000-memory.dmp

memory/1820-134-0x0000000008F10000-0x0000000008FAC000-memory.dmp

memory/4432-135-0x0000000000000000-mapping.dmp

memory/3828-136-0x0000000000000000-mapping.dmp

memory/4520-137-0x0000000000000000-mapping.dmp

memory/4520-138-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4520-140-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4520-141-0x0000000000400000-0x0000000000420000-memory.dmp