Malware Analysis Report

2025-08-05 14:30

Sample ID 220523-b8qwcsehan
Target 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe
SHA256 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b

Threat Level: Known bad

The file 3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Executes dropped EXE

Loads dropped DLL

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-23 01:49

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:57

Platform

win7-20220414-en

Max time kernel

41s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 812 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 812 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 812 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 812 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1008 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 1336 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1336 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1336 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Windows\SysWOW64\WerFault.exe
PID 1336 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe

"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 120

Network

N/A

Files

memory/812-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

memory/1008-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

C:\Users\Admin\AppData\Local\Temp\joszbi

MD5 a5a523f60a17756e61e17ba513ff59d1
SHA1 d03b444c7c2d4ffb34d483427e69ec2116d90951
SHA256 5519ce10c332d304d521a15d902d84e2feac7827a148284713402de837fd4755
SHA512 99af33e2deb545c902c8663a67643b18ae2ee09924c8dee23c4ed93a6ff55305c020e3fd4e2d3781144450b14468c08799a3c59dfd1151893ec1a7e8352ef08d

C:\Users\Admin\AppData\Local\Temp\jqrvq39gj49la

MD5 664cb163be98c1035799694e2585cb16
SHA1 30984822dc25b065f6476557361396282906c551
SHA256 466b28f6c18c530ac94410a111fe1feb84b2363b03831cb3e39af96d37ad56cd
SHA512 e723882a67c072413357da1d9950a363ffcdb38fd1554cfede3acc75a16b6b78497a736fed7c32a5b8431a4ce591d3610da561ebbfee03ce04d6661e32612985

\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

memory/1336-63-0x0000000000000000-mapping.dmp

memory/1336-65-0x0000000000080000-0x00000000000A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

memory/1336-67-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/1336-70-0x0000000000080000-0x00000000000A0000-memory.dmp

memory/1328-71-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-23 01:49

Reported

2022-05-23 01:58

Platform

win10v2004-20220414-en

Max time kernel

105s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"

Signatures

Azorult

trojan infostealer azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3292 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3292 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe
PID 3924 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe

"C:\Users\Admin\AppData\Local\Temp\3b1fd9ce0c20b167a2367191a5129c5f635869f6a87f473cfe083e67d7f7465b.exe"

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe C:\Users\Admin\AppData\Local\Temp\joszbi

Network

Country Destination Domain Proto
FR 2.18.109.224:443 tcp
US 104.18.24.243:80 tcp
AU 104.46.162.226:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
DE 89.43.107.198:80 tcp
US 93.184.220.29:80 tcp
DE 89.43.107.198:80 tcp

Files

memory/3924-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

C:\Users\Admin\AppData\Local\Temp\joszbi

MD5 a5a523f60a17756e61e17ba513ff59d1
SHA1 d03b444c7c2d4ffb34d483427e69ec2116d90951
SHA256 5519ce10c332d304d521a15d902d84e2feac7827a148284713402de837fd4755
SHA512 99af33e2deb545c902c8663a67643b18ae2ee09924c8dee23c4ed93a6ff55305c020e3fd4e2d3781144450b14468c08799a3c59dfd1151893ec1a7e8352ef08d

C:\Users\Admin\AppData\Local\Temp\jqrvq39gj49la

MD5 664cb163be98c1035799694e2585cb16
SHA1 30984822dc25b065f6476557361396282906c551
SHA256 466b28f6c18c530ac94410a111fe1feb84b2363b03831cb3e39af96d37ad56cd
SHA512 e723882a67c072413357da1d9950a363ffcdb38fd1554cfede3acc75a16b6b78497a736fed7c32a5b8431a4ce591d3610da561ebbfee03ce04d6661e32612985

memory/4552-135-0x0000000000000000-mapping.dmp

memory/4552-137-0x0000000000C80000-0x0000000000CA0000-memory.dmp

memory/4552-139-0x0000000000C80000-0x0000000000CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ucxgm.exe

MD5 78673699f5e78cf7ecfbb9ef42f3cc20
SHA1 7d1a1e230a595a3249f70871dfca54c1c7e6bb3e
SHA256 85f2460b17088ffbf8a4cfbbcf8c65340f538fe7e78603cf03adad566afc7838
SHA512 1f755d80bd66eea8ba8b0acbb9e2e8ba81d648671621ecd2407b680383e94269f7668840c9280dd75e176efb05cff25345438b43d3e82d71d9df865d759bb016

memory/4552-142-0x0000000000C80000-0x0000000000CA0000-memory.dmp