Malware Analysis Report

2025-08-05 14:30

Sample ID 220523-b8qwcsehal
Target b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe
SHA256 b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a

Threat Level: Known bad

The file b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 01:49

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win7-20220414-en

Max time kernel

32s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1432 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1432 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1432 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 1984 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2024 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Windows\SysWOW64\WerFault.exe
PID 2024 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Windows\SysWOW64\WerFault.exe
PID 2024 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Windows\SysWOW64\WerFault.exe
PID 2024 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe

"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 120

Network

N/A

Files

memory/1432-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

memory/1984-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml

MD5 d794073cea5c25016fc9e10d9d561d3b
SHA1 0a864adb3a08b19cbadb52f70281c1a48ef62a90
SHA256 850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2
SHA512 cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b

C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5sya

MD5 664dc99256a895e016c2a583aa186011
SHA1 d543975302871a614057d02e12c3531698c0b706
SHA256 67f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939
SHA512 37799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39

\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

memory/2024-66-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2024-69-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2024-64-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/2024-62-0x0000000000000000-mapping.dmp

memory/1248-70-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win10v2004-20220414-en

Max time kernel

95s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe
PID 2628 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe

"C:\Users\Admin\AppData\Local\Temp\b05adf9ad869adb1c7605901185d74da4ccc5ad49106044a1114cbae8908713a.exe"

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
DE 89.43.107.198:80 tcp
DE 89.43.107.198:80 tcp
US 52.109.8.19:443 tcp
US 20.189.173.14:443 tcp

Files

memory/2628-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

C:\Users\Admin\AppData\Local\Temp\qdsxhjzcml

MD5 d794073cea5c25016fc9e10d9d561d3b
SHA1 0a864adb3a08b19cbadb52f70281c1a48ef62a90
SHA256 850731e6c213f62dc30227a97ebe8eb699f7dbeb5df8161b3842a8f7b16f10f2
SHA512 cc4664f3bdb3a4a1f8a9b764d74d251c3148875ba7d6bb975a1bde0f3a648dc91ca9ff8279a1ae4e60b22c1d021cafbb35973ea0259a5a7027cfdb7d0df7972b

C:\Users\Admin\AppData\Local\Temp\n29e5gb99yuq5sya

MD5 664dc99256a895e016c2a583aa186011
SHA1 d543975302871a614057d02e12c3531698c0b706
SHA256 67f7b33425bc7a7788d817712b9b73642e2c7402130e795b2d7384cf9839b939
SHA512 37799fb22e33cb30370f19801e8b8bf9c0b8b94ef72ce394b02d0d6f689b923945be8e287b6cc438f0572a83ed389d9e5a50b487f724810b8599ed35e8cd2f39

memory/2844-135-0x0000000000000000-mapping.dmp

memory/2844-137-0x00000000007E0000-0x0000000000800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ufzxfyzp.exe

MD5 1398f625da2ce1ea75874863a150ed27
SHA1 36f3466a87ba1d195658d4fda7dc724b7ccfbca5
SHA256 7ef9f09ed7edff46712175015049a0afa8d366ce7d11fcc3fe00105a645e909f
SHA512 b40cc8bec833c5806aa078a248c82f9a8cf9bee99eb821c90ee1de71ffb4a47dbc34a360cfab39cf573e5572a61c83d842780c626ae0a0fe2c3519fe06a3f22e

memory/2844-139-0x00000000007E0000-0x0000000000800000-memory.dmp

memory/2844-142-0x00000000007E0000-0x0000000000800000-memory.dmp