azorult | a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb

General

Target

a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
Size

3.4MB
MD5

eeac6ced2e0a2d0a9d2455d4f510c5c3
SHA1

4b7d8d24cf1b39448a8d66cf75ae7786dc4fc075
SHA256

a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb
SHA512

f3d914b59a56f48b3bcebe9bd8470cf885f2ed868bd19c28b46da84abdf36db5854f9ffbeb55bcf298d7100b9f4573142850cc5d5ead5b70422ff2532e14befe

Score

10^/10

azorult infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

tmp3unl_j.exesetup.exea.exe

pid process

2032 tmp3unl_j.exe
2044 setup.exe
1960 a.exe
Drops startup file 1 IoCs

Processes:

tmp3unl_j.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe tmp3unl_j.exe

pid	process
2032	tmp3unl_j.exe
2044	setup.exe
1960	a.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	tmp3unl_j.exe

Loads dropped DLL 8 IoCs

Processes:

a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exetmp3unl_j.exe

pid	process
1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
2032	tmp3unl_j.exe
2032	tmp3unl_j.exe
2032	tmp3unl_j.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

tmp3unl_j.exe

pid process

2032 tmp3unl_j.exe

pid	process
2032	tmp3unl_j.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exea99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exetmp3unl_j.exe

description	pid	process	target process
PID 1732 wrote to memory of 1776	1732	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
PID 1732 wrote to memory of 1776	1732	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
PID 1732 wrote to memory of 1776	1732	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
PID 1732 wrote to memory of 1776	1732	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
PID 1776 wrote to memory of 2032	1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	tmp3unl_j.exe
PID 1776 wrote to memory of 2032	1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	tmp3unl_j.exe
PID 1776 wrote to memory of 2032	1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	tmp3unl_j.exe
PID 1776 wrote to memory of 2032	1776	a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe	tmp3unl_j.exe
PID 2032 wrote to memory of 2044	2032	tmp3unl_j.exe	setup.exe
PID 2032 wrote to memory of 2044	2032	tmp3unl_j.exe	setup.exe
PID 2032 wrote to memory of 2044	2032	tmp3unl_j.exe	setup.exe
PID 2032 wrote to memory of 2044	2032	tmp3unl_j.exe	setup.exe
PID 2032 wrote to memory of 2044	2032	tmp3unl_j.exe	setup.exe
PID 2032 wrote to memory of 2044	2032	tmp3unl_j.exe	setup.exe
PID 2032 wrote to memory of 2044	2032	tmp3unl_j.exe	setup.exe
PID 2032 wrote to memory of 1960	2032	tmp3unl_j.exe	a.exe
PID 2032 wrote to memory of 1960	2032	tmp3unl_j.exe	a.exe
PID 2032 wrote to memory of 1960	2032	tmp3unl_j.exe	a.exe
PID 2032 wrote to memory of 1960	2032	tmp3unl_j.exe	a.exe

C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
"C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe
"C:\Users\Admin\AppData\Local\Temp\a99c187908efe284eeff0a25af134828f580a398a9aa02ed76ed98dbd59324eb.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\appdata\local\temp\tmp3unl_j.exe
"C:\Users\Admin\appdata\local\temp\tmp3unl_j.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\a.exe
C:\Users\Admin\AppData\Local\Temp\a.exe
4⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17322\DiscordSpamTool.exe.manifest
Filesize
1KB

MD5
570e2cfa11950537cc9f707dfc47e3c0

SHA1
016ddd6fcc2f6e8dcd8529c8b4c2b34d6d782ca2

SHA256
85e55e56044ddce3b0f126ba052d305edcfde2d219e3e434f7aa129fe1a95a28

SHA512
ed25b9cb7c66b7fa385ca7bb9ea5a04529653d64711f78ac971fa624ce1b5500fab2928790967b44805ca344095454824f79779ed4d348dc5fa6146cee1ab535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17322\python27.dll
Filesize
92KB

MD5
c9611d45beafd6dc948c9875acbc74be

SHA1
18be61415ea07763da4ebc38f53ef9248827b00c

SHA256
e8a92bd0730b2e5eb54ae91b5ab0e0452469a549055e61aac27f94d1947d0a3f

SHA512
090934a1c6c55a1a0c25471f0ae0ab3b963f997b649b9c62cf5fdce7cc0f3aeb33f06c704e8a6ca20a2857244f6c0d4d7c71a21bcc22f92e6ee2a913b12dbbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17~1\_ctypes.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17~1\_hashlib.pyd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3unl_j.exe

Download Submit
C:\Users\Admin\appdata\local\temp\tmp3unl_j.exe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17322\python27.dll
Filesize
92KB

MD5
c9611d45beafd6dc948c9875acbc74be

SHA1
18be61415ea07763da4ebc38f53ef9248827b00c

SHA256
e8a92bd0730b2e5eb54ae91b5ab0e0452469a549055e61aac27f94d1947d0a3f

SHA512
090934a1c6c55a1a0c25471f0ae0ab3b963f997b649b9c62cf5fdce7cc0f3aeb33f06c704e8a6ca20a2857244f6c0d4d7c71a21bcc22f92e6ee2a913b12dbbfc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17~1\_ctypes.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI17~1\_hashlib.pyd

Download Submit
\Users\Admin\AppData\Local\Temp\a.exe

Download Submit
\Users\Admin\AppData\Local\Temp\a.exe

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3unl_j.exe

Download Submit
\Users\Admin\AppData\Local\Temp\tmp3unl_j.exe

Download Submit
memory/1776-54-0x0000000000000000-mapping.dmp

Download
memory/1776-58-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1960-78-0x0000000000000000-mapping.dmp

Download
memory/2032-65-0x0000000000000000-mapping.dmp

Download
memory/2044-70-0x0000000000000000-mapping.dmp

Download
memory/2044-74-0x00000000003A0000-0x0000000000462000-memory.dmp

Filesize
776KB

Download
memory/2044-75-0x00000000007E5000-0x00000000007F6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing