Malware Analysis Report

2025-08-05 14:30

Sample ID 220523-b8qwcsehak
Target 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe
SHA256 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126

Threat Level: Known bad

The file 67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 01:49

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win10v2004-20220414-en

Max time kernel

119s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 2624 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1560 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe

"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl

Network

Country Destination Domain Proto
NL 2.56.59.31:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 2.56.59.31:80 tcp
NL 88.221.144.179:80 tcp
US 20.42.73.25:443 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
NL 104.97.14.81:80 tcp
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp

Files

memory/1560-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

C:\Users\Admin\AppData\Local\Temp\zjpvfl

MD5 ad4a34c660bd08739bde04685d83743c
SHA1 8930ea55e26562c033dca1c6aab8d50fb4bf786b
SHA256 584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2
SHA512 ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f

C:\Users\Admin\AppData\Local\Temp\3rvv473x9d9doywn24w0

MD5 d68efd53b46be72c468deb58e648d035
SHA1 2f7ce2bd0076bf6530905ee8863a93eed5feab56
SHA256 e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5
SHA512 ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57

memory/2012-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

memory/2012-137-0x0000000001320000-0x0000000001340000-memory.dmp

memory/2012-139-0x0000000001320000-0x0000000001340000-memory.dmp

memory/2012-142-0x0000000001320000-0x0000000001340000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win7-20220414-en

Max time kernel

39s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1004 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1004 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1004 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1004 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1516 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\ibjyf.exe
PID 1652 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1652 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe

"C:\Users\Admin\AppData\Local\Temp\67ea2153cfc1a94642fa7f08b5e8c40c2497106687b6d9d6fa938eec1d659126.exe"

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe C:\Users\Admin\AppData\Local\Temp\zjpvfl

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 120

Network

N/A

Files

memory/1004-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

memory/1516-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

C:\Users\Admin\AppData\Local\Temp\zjpvfl

MD5 ad4a34c660bd08739bde04685d83743c
SHA1 8930ea55e26562c033dca1c6aab8d50fb4bf786b
SHA256 584c5e9c39032e13e4a22e10f6810c5a16eebd4e6176b7b10f60125de48946e2
SHA512 ecd73bd232804a7940e2c211923fe504ff0ad857456f9cb68ebb0c164ead9f9c475c38c784a383461059dc355b7977d18b18078320332b32d2b99f7822351f4f

C:\Users\Admin\AppData\Local\Temp\3rvv473x9d9doywn24w0

MD5 d68efd53b46be72c468deb58e648d035
SHA1 2f7ce2bd0076bf6530905ee8863a93eed5feab56
SHA256 e9db77d19a967335c3408db51f4c693cf663ed1d4c5c4f193b6d0bafe9049af5
SHA512 ec67672126fcf2a47ae4b845396121185c35791a6c5b024c33162ab0370f70fa6e7e101897c083b09b6c95ab36bf977abdb9f04e9cfbec4b98fff1c80c842c57

\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

C:\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

memory/1652-65-0x0000000000180000-0x00000000001A0000-memory.dmp

memory/1652-67-0x0000000000180000-0x00000000001A0000-memory.dmp

memory/1652-70-0x0000000000180000-0x00000000001A0000-memory.dmp

memory/1652-63-0x0000000000000000-mapping.dmp

memory/2000-71-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc

\Users\Admin\AppData\Local\Temp\ibjyf.exe

MD5 3ce2e03927cfb19ced6be0d1a4df16b9
SHA1 67812421bfad08fa0d0ec9a6fa7341cab5687860
SHA256 23b900fff0fd487f6bd7770db56ec2a69248c2135a28fc7c017512f11798c1fa
SHA512 0d9bfa9fdb6e038a56a938cb3237961b989d8da2d6813dbab0a575173d4c2c89c52a019cb4d7143521108e6cba79a4e8cb3128c15ac22c869a3b46f481bd8acc