azorult | 9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a

General

Target

9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe
Size

1.8MB
MD5

e2aaaa8dca87da4b8e76441cdda8a344
SHA1

a7815af1153100a5785506b0b3fb90289d47a0dd
SHA256

9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a
SHA512

bc5d4b4420200d68d08f90b146675d19fda0ba789df81035f2190c61b9227df87e9e4a24b6f6f8c12485daaf63ccb83167c6c60455a1959212711641a20cedb6

Score

10^/10

azorult infostealer persistence suricata trojan upx

Malware Config

Extracted

Family

azorult

C2

http://julaly.ml/tiv202/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata: ET MALWARE AZORult Variant.4 Checkin M2
suricata
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6
suricata: ET MALWARE Win32/AZORult V3.2 Client Checkin M6
suricata
Executes dropped EXE 2 IoCs

Processes:

Bonesr.exeBonesr.exe

pid process

988 Bonesr.exe
1148 Bonesr.exe

pid	process
988	Bonesr.exe
1148	Bonesr.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2000-59-0x0000000000400000-0x0000000000483000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exeBonesr.exe

pid	process
2000	9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe
2000	9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe
988	Bonesr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Bonesr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\NNFNMU = "C:\\Users\\Admin\\AppData\\Local\\NNFNMU\\NNFNMUYUI.vbs"	Bonesr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Bonesr.exe

description pid process target process

PID 988 set thread context of 1148 988 Bonesr.exe Bonesr.exe

description	pid	process	target process
PID 988 set thread context of 1148	988	Bonesr.exe	Bonesr.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exeBonesr.exe

description	pid	process	target process
PID 2000 wrote to memory of 988	2000	9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe	Bonesr.exe
PID 2000 wrote to memory of 988	2000	9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe	Bonesr.exe
PID 2000 wrote to memory of 988	2000	9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe	Bonesr.exe
PID 2000 wrote to memory of 988	2000	9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe
PID 988 wrote to memory of 1148	988	Bonesr.exe	Bonesr.exe

C:\Users\Admin\AppData\Local\Temp\9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe
"C:\Users\Admin\AppData\Local\Temp\9320f896b3bccdd93eafdfef6bfcb75c57a228fa50f3978c44e8e07ac693698a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\Bonesr.exe
  C:\Users\Admin\AppData\Local\Temp\Bonesr.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Users\Admin\AppData\Local\Temp\Bonesr.exe
    "C:\Users\Admin\AppData\Local\Temp\Bonesr.exe"
    3⤵
    - Executes dropped EXE
    PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bon.bmp

Filesize
1.1MB

MD5
d9b5142d73d47a0202347096778f3595

SHA1
718ed8b94bc04374e16d7ead1e6ea01ce40be332

SHA256
5a3a0ef21119810d6eb0a7510e8e78b4cc9bef75d0981a42f1eaa982b2264326

SHA512
8b96992d2aee5eae8d3c1fd89a4d7aef663dcb73a39d523a0699653b561ab0c9e02a27f6b3f4993d037bff2b3863fdb44f1253d01dcfdbaa5590dc8df9f0f9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bonesr.exe

Filesize
560KB

MD5
134a89a84d775ec24c5bf53ce3cbe0ed

SHA1
b5228bcef474f53ac4e55cb3869d87fb3abee6f3

SHA256
f05ba52e38c6c13f36bf903b2f045f29c3f826d1c3ecf2e86bb1458494edb3e0

SHA512
f0911b9f73ae0738e07eac55f51034efc5230e943f8dd00b3a254df1bcae72d070b4924d1ebbc130a81ceecb520662b04a41c0a3ac1c95792415008a3c3aa920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bonesr.exe

Filesize
560KB

MD5
134a89a84d775ec24c5bf53ce3cbe0ed

SHA1
b5228bcef474f53ac4e55cb3869d87fb3abee6f3

SHA256
f05ba52e38c6c13f36bf903b2f045f29c3f826d1c3ecf2e86bb1458494edb3e0

SHA512
f0911b9f73ae0738e07eac55f51034efc5230e943f8dd00b3a254df1bcae72d070b4924d1ebbc130a81ceecb520662b04a41c0a3ac1c95792415008a3c3aa920

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bonesr.exe

Filesize
560KB

MD5
134a89a84d775ec24c5bf53ce3cbe0ed

SHA1
b5228bcef474f53ac4e55cb3869d87fb3abee6f3

SHA256
f05ba52e38c6c13f36bf903b2f045f29c3f826d1c3ecf2e86bb1458494edb3e0

SHA512
f0911b9f73ae0738e07eac55f51034efc5230e943f8dd00b3a254df1bcae72d070b4924d1ebbc130a81ceecb520662b04a41c0a3ac1c95792415008a3c3aa920

Download Submit
\Users\Admin\AppData\Local\Temp\Bonesr.exe

Filesize
560KB

MD5
134a89a84d775ec24c5bf53ce3cbe0ed

SHA1
b5228bcef474f53ac4e55cb3869d87fb3abee6f3

SHA256
f05ba52e38c6c13f36bf903b2f045f29c3f826d1c3ecf2e86bb1458494edb3e0

SHA512
f0911b9f73ae0738e07eac55f51034efc5230e943f8dd00b3a254df1bcae72d070b4924d1ebbc130a81ceecb520662b04a41c0a3ac1c95792415008a3c3aa920

Download Submit
\Users\Admin\AppData\Local\Temp\Bonesr.exe

Filesize
560KB

MD5
134a89a84d775ec24c5bf53ce3cbe0ed

SHA1
b5228bcef474f53ac4e55cb3869d87fb3abee6f3

SHA256
f05ba52e38c6c13f36bf903b2f045f29c3f826d1c3ecf2e86bb1458494edb3e0

SHA512
f0911b9f73ae0738e07eac55f51034efc5230e943f8dd00b3a254df1bcae72d070b4924d1ebbc130a81ceecb520662b04a41c0a3ac1c95792415008a3c3aa920

Download Submit
\Users\Admin\AppData\Local\Temp\Bonesr.exe

Filesize
560KB

MD5
134a89a84d775ec24c5bf53ce3cbe0ed

SHA1
b5228bcef474f53ac4e55cb3869d87fb3abee6f3

SHA256
f05ba52e38c6c13f36bf903b2f045f29c3f826d1c3ecf2e86bb1458494edb3e0

SHA512
f0911b9f73ae0738e07eac55f51034efc5230e943f8dd00b3a254df1bcae72d070b4924d1ebbc130a81ceecb520662b04a41c0a3ac1c95792415008a3c3aa920

Download Submit
memory/988-56-0x0000000000000000-mapping.dmp

Download
memory/988-58-0x0000000076191000-0x0000000076193000-memory.dmp

Filesize
8KB

Download
memory/1148-71-0x000000000041A1F8-mapping.dmp

Download
memory/1148-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1148-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2000-59-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads