azorult | 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec

General

Target

3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
Size

582KB
MD5

38d328dd86ebad6931208bc20280fcda
SHA1

89a9285ea26ff51212e7cbb68cbccfd6c262c296
SHA256

3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec
SHA512

5b2324b74cec5bf6c2632f453e7dc397a7fcd7f1977f17dd2e085a047f3aed0b1caecc40cbf1b3e0b009b1ec75aa2b2d7872fe91bff574af5b3e4df43f868d94

Score

10^/10

Family

azorult

C2

http://projectkanor.bit/az/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

Suspicious use of SetThreadContext 1 IoCs

Processes:

3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe

description	pid	process	target process
PID 4912 set thread context of 2404	4912	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe

pid process

4912 3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe

pid	process
4912	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe

description	pid	process	target process
PID 4912 wrote to memory of 2404	4912	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
PID 4912 wrote to memory of 2404	4912	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
PID 4912 wrote to memory of 2404	4912	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe	3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe

C:\Users\Admin\AppData\Local\Temp\3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe
C:\Users\Admin\AppData\Local\Temp\3bdcfffd58d9c5765825f4ef7d42d75b9d2aec412f0b35dbd0298a51474ce0ec.exe"
2⤵
PID:2404

memory/2404-133-0x0000000000000000-mapping.dmp

Download
memory/2404-136-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2404-149-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/2404-150-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/2404-151-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2404-152-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download
memory/2404-153-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4912-132-0x00000000022F0000-0x00000000022F7000-memory.dmp

Filesize
28KB

Download
memory/4912-134-0x0000000077980000-0x0000000077B23000-memory.dmp

Filesize
1.6MB

Download