azorult | 3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287

Analysis

max time kernel
86s
max time network
97s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-07-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
Size

3.3MB
MD5

4ce9eaf299a37158cf09d0e6847f27d5
SHA1

80fde74e771a40c4edc876cdd7f77be11ebed28f
SHA256

3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287
SHA512

70e20c4326784cf8071817688f8166dd024e869e9faa04af644a4bd4b44b079d0036024bc2db84e3487c0823342ef8362a9a2ccd3c1cf51343e6f4e52ce91f50

Score

10^/10

azorult discovery infostealer suricata trojan

Malware Config

Extracted

Family

azorult

http://92.63.192.72/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
suricata
Executes dropped EXE 2 IoCs

Processes:

busshost.exeYTLoader.exe

pid process

1380 busshost.exe
1784 YTLoader.exe

pid	process
1380	busshost.exe
1784	YTLoader.exe

Loads dropped DLL 8 IoCs

Processes:

3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exeWerFault.exe

pid	process
1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

Processes:

3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1728 1784 WerFault.exe YTLoader.exe

pid	pid_target	process	target process
1728	1784	WerFault.exe	YTLoader.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	YTLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

YTLoader.exe

description pid process

Token: SeDebugPrivilege 1784 YTLoader.exe

description	pid	process
Token: SeDebugPrivilege	1784	YTLoader.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exeYTLoader.exe

description	pid	process	target process
PID 1984 wrote to memory of 1380	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	busshost.exe
PID 1984 wrote to memory of 1380	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	busshost.exe
PID 1984 wrote to memory of 1380	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	busshost.exe
PID 1984 wrote to memory of 1380	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	busshost.exe
PID 1984 wrote to memory of 1784	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	YTLoader.exe
PID 1984 wrote to memory of 1784	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	YTLoader.exe
PID 1984 wrote to memory of 1784	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	YTLoader.exe
PID 1984 wrote to memory of 1784	1984	3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe	YTLoader.exe
PID 1784 wrote to memory of 1728	1784	YTLoader.exe	WerFault.exe
PID 1784 wrote to memory of 1728	1784	YTLoader.exe	WerFault.exe
PID 1784 wrote to memory of 1728	1784	YTLoader.exe	WerFault.exe
PID 1784 wrote to memory of 1728	1784	YTLoader.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe
"C:\Users\Admin\AppData\Local\Temp\3bb9961490c803b6ff20959ab0c6b9c51863fd1c07b1778045a735d89e7e7287.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1984

C:\Program Files (x86)\LetsSee!\busshost.exe
"C:\Program Files (x86)\LetsSee!\busshost.exe"
2⤵
- Executes dropped EXE
PID:1380

C:\Program Files (x86)\LetsSee!\YTLoader.exe
"C:\Program Files (x86)\LetsSee!\YTLoader.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 1168
3⤵
- Loads dropped DLL
- Program crash
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\busshost.exe
Filesize
294KB

MD5
866ce0f274ce18c79f4f98f7d73ddf52

SHA1
1508422c5831255f67e02f142bcb4266ba5d811f

SHA256
f2b2de78c5ab16b19eb538b08afae9d58f6eb6642cee4ca0405ba4e1fc776342

SHA512
ff225f6a95bf62cb17bc159e9d11cf6de5e9f93b0d3923cb2627bde206dbf89ef7cbdd2c0218b5a266790a31b9d8f010895b908cb93e1559715d192cf65be260

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\YTLoader.exe
Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
\Program Files (x86)\LetsSee!\busshost.exe
Filesize
294KB

MD5
866ce0f274ce18c79f4f98f7d73ddf52

SHA1
1508422c5831255f67e02f142bcb4266ba5d811f

SHA256
f2b2de78c5ab16b19eb538b08afae9d58f6eb6642cee4ca0405ba4e1fc776342

SHA512
ff225f6a95bf62cb17bc159e9d11cf6de5e9f93b0d3923cb2627bde206dbf89ef7cbdd2c0218b5a266790a31b9d8f010895b908cb93e1559715d192cf65be260

Download Submit
\Program Files (x86)\LetsSee!\busshost.exe
Filesize
294KB

MD5
866ce0f274ce18c79f4f98f7d73ddf52

SHA1
1508422c5831255f67e02f142bcb4266ba5d811f

SHA256
f2b2de78c5ab16b19eb538b08afae9d58f6eb6642cee4ca0405ba4e1fc776342

SHA512
ff225f6a95bf62cb17bc159e9d11cf6de5e9f93b0d3923cb2627bde206dbf89ef7cbdd2c0218b5a266790a31b9d8f010895b908cb93e1559715d192cf65be260

Download Submit
memory/1380-64-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1380-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1380-57-0x0000000000000000-mapping.dmp

Download
memory/1380-71-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1380-72-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1380-85-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1728-86-0x0000000000000000-mapping.dmp

Download
memory/1784-73-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/1784-84-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/1784-77-0x0000000000AA0000-0x0000000000AA8000-memory.dmp

Filesize
32KB

Download
memory/1784-78-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download
memory/1784-79-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1784-80-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1784-81-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/1784-82-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/1784-83-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/1784-76-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/1784-75-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/1784-74-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/1784-60-0x0000000000000000-mapping.dmp

Download
memory/1784-70-0x0000000005260000-0x00000000056BA000-memory.dmp

Filesize
4.4MB

Download
memory/1784-68-0x00000000003B0000-0x00000000003BA000-memory.dmp

Filesize
40KB

Download
memory/1784-67-0x00000000013B0000-0x00000000016B8000-memory.dmp

Filesize
3.0MB

Download
memory/1984-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download