Malware Analysis Report

2025-08-05 14:30

Sample ID 220523-b8qwcsbdh3
Target 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe
SHA256 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94
Tags
azorult infostealer persistence suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94

Threat Level: Known bad

The file 9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer persistence suricata trojan

Azorult

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 01:49

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:58

Platform

win10v2004-20220414-en

Max time kernel

105s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"

Signatures

Azorult

trojan infostealer azorult

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miihwsieh = "C:\\Users\\Admin\\AppData\\Roaming\\cchna\\ktqglofa.exe" C:\Users\Admin\AppData\Local\Temp\ydzzl.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 4264 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 4264 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 5008 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe

"C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu

Network

Country Destination Domain Proto
US 20.42.65.85:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 mideastclinicsea.us udp
RO 101.99.94.184:80 mideastclinicsea.us tcp
US 13.107.42.16:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

memory/5008-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

C:\Users\Admin\AppData\Local\Temp\wyjxu

MD5 d8a269678720acfc5dc76b53208c3302
SHA1 2729bad20f6935e5b88489671900ddaa7d22c792
SHA256 88e9825f1ba032c3ba70907f767ca5370ee6070f665f05ee83b5af26613b4ecf
SHA512 b315c216c26995da4a220335a46f4cddd74e114d876d4f25c9b9f3d36a79bd5ef28c8a66a20002fcffaab19240dd53d0ac7239bf731c58cdd715fd0b9458ba4a

C:\Users\Admin\AppData\Local\Temp\xjewya0f8z6q4cvbu82l

MD5 44623f66bab0f6148c33004e7247387f
SHA1 dd457b7633b125d6be1ee9bf9ca242e9e4174451
SHA256 a377019e6b43e9a7cc6b3dffb7ac1b98bbf9a8de3399ec44a8caf50ca7ebaaa2
SHA512 3c5055e9a88b94ee2e6b623c3c380a612e7444adb81c280e6edf349b0253ef7170d1f59e256c52b60fa57f0a14b9518739105ce4d1a12f5618a19fbab699fec8

memory/1008-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

memory/1008-137-0x00000000003C0000-0x00000000003E0000-memory.dmp

memory/1008-139-0x00000000003C0000-0x00000000003E0000-memory.dmp

memory/1008-142-0x00000000003C0000-0x00000000003E0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:58

Platform

win7-20220414-en

Max time kernel

33s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\miihwsieh = "C:\\Users\\Admin\\AppData\\Roaming\\cchna\\ktqglofa.exe" C:\Users\Admin\AppData\Local\Temp\ydzzl.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 748 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 748 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 748 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1856 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\ydzzl.exe
PID 1228 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Windows\SysWOW64\WerFault.exe
PID 1228 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Windows\SysWOW64\WerFault.exe
PID 1228 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Windows\SysWOW64\WerFault.exe
PID 1228 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe

"C:\Users\Admin\AppData\Local\Temp\9f6a8cf503fa963fca29cabcadab8cd6fb9dd99387a0a67fb81f9b15fe4ffd94.exe"

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe C:\Users\Admin\AppData\Local\Temp\wyjxu

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 120

Network

N/A

Files

memory/748-54-0x0000000076811000-0x0000000076813000-memory.dmp

\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

memory/1856-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

C:\Users\Admin\AppData\Local\Temp\wyjxu

MD5 d8a269678720acfc5dc76b53208c3302
SHA1 2729bad20f6935e5b88489671900ddaa7d22c792
SHA256 88e9825f1ba032c3ba70907f767ca5370ee6070f665f05ee83b5af26613b4ecf
SHA512 b315c216c26995da4a220335a46f4cddd74e114d876d4f25c9b9f3d36a79bd5ef28c8a66a20002fcffaab19240dd53d0ac7239bf731c58cdd715fd0b9458ba4a

C:\Users\Admin\AppData\Local\Temp\xjewya0f8z6q4cvbu82l

MD5 44623f66bab0f6148c33004e7247387f
SHA1 dd457b7633b125d6be1ee9bf9ca242e9e4174451
SHA256 a377019e6b43e9a7cc6b3dffb7ac1b98bbf9a8de3399ec44a8caf50ca7ebaaa2
SHA512 3c5055e9a88b94ee2e6b623c3c380a612e7444adb81c280e6edf349b0253ef7170d1f59e256c52b60fa57f0a14b9518739105ce4d1a12f5618a19fbab699fec8

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

memory/1228-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

memory/1228-65-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/1228-67-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/1228-70-0x00000000000C0000-0x00000000000E0000-memory.dmp

memory/980-71-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1

\Users\Admin\AppData\Local\Temp\ydzzl.exe

MD5 b70d0f4c2d7f34f176ece550d76ce092
SHA1 d6ef987a7e62cc591daa3ac2054bc171dec9a159
SHA256 a1de1a69e0252e6e04e188a4c70b434e7c60e43ec52475106b170124c018f039
SHA512 d00ca32682b5eeb884e54638b467fd07e6f509e51b273a5389d6426305a7cc7c17245b83c6b1bccdee1e9815b78fab31fda0526193f1075a8c27945094a792e1