azorult | 612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438

General

Target

612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe
Size

550KB
MD5

e765ff6c7fee937fa2ebc598a94d591b
SHA1

0228e998444f970e35fcf377cb7508330af1c510
SHA256

612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438
SHA512

e028d36621d02d0cbbd5bc88996b0b9fe7469d422402a31bf25ff03f2a650732b6bc800623e49c380b72a6f3449a52d76fe2f68350503ba4cc8089578f14c719

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://83286.prohoster.biz/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

RegisterIEPKEYs.exeRegisterIEPKEYs.exe

pid process

1964 RegisterIEPKEYs.exe
692 RegisterIEPKEYs.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

796 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exeRegisterIEPKEYs.exe

pid process

2024 612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe
1964 RegisterIEPKEYs.exe
1964 RegisterIEPKEYs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

RegisterIEPKEYs.exe

description pid process target process

PID 1964 set thread context of 692 1964 RegisterIEPKEYs.exe RegisterIEPKEYs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1964	RegisterIEPKEYs.exe
692	RegisterIEPKEYs.exe

pid	process
796	cmd.exe

pid	process
2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe
1964	RegisterIEPKEYs.exe
1964	RegisterIEPKEYs.exe

description	pid	process	target process
PID 1964 set thread context of 692	1964	RegisterIEPKEYs.exe	RegisterIEPKEYs.exe

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe	nsis_installer_2

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1668 PING.EXE
1776 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe

pid process

2024 612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

RegisterIEPKEYs.exe

pid process

1964 RegisterIEPKEYs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe

description pid process

Token: SeDebugPrivilege 2024 612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe

pid	process
1668	PING.EXE
1776	PING.EXE

pid	process
2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe

pid	process
1964	RegisterIEPKEYs.exe

description	pid	process
Token: SeDebugPrivilege	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.execmd.exeRegisterIEPKEYs.exe

description	pid	process	target process
PID 2024 wrote to memory of 1964	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	RegisterIEPKEYs.exe
PID 2024 wrote to memory of 1964	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	RegisterIEPKEYs.exe
PID 2024 wrote to memory of 1964	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	RegisterIEPKEYs.exe
PID 2024 wrote to memory of 1964	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	RegisterIEPKEYs.exe
PID 2024 wrote to memory of 796	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	cmd.exe
PID 2024 wrote to memory of 796	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	cmd.exe
PID 2024 wrote to memory of 796	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	cmd.exe
PID 2024 wrote to memory of 796	2024	612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe	cmd.exe
PID 796 wrote to memory of 1668	796	cmd.exe	PING.EXE
PID 796 wrote to memory of 1668	796	cmd.exe	PING.EXE
PID 796 wrote to memory of 1668	796	cmd.exe	PING.EXE
PID 796 wrote to memory of 1668	796	cmd.exe	PING.EXE
PID 796 wrote to memory of 1776	796	cmd.exe	PING.EXE
PID 796 wrote to memory of 1776	796	cmd.exe	PING.EXE
PID 796 wrote to memory of 1776	796	cmd.exe	PING.EXE
PID 796 wrote to memory of 1776	796	cmd.exe	PING.EXE
PID 1964 wrote to memory of 692	1964	RegisterIEPKEYs.exe	RegisterIEPKEYs.exe
PID 1964 wrote to memory of 692	1964	RegisterIEPKEYs.exe	RegisterIEPKEYs.exe
PID 1964 wrote to memory of 692	1964	RegisterIEPKEYs.exe	RegisterIEPKEYs.exe
PID 1964 wrote to memory of 692	1964	RegisterIEPKEYs.exe	RegisterIEPKEYs.exe
PID 1964 wrote to memory of 692	1964	RegisterIEPKEYs.exe	RegisterIEPKEYs.exe

C:\Users\Admin\AppData\Local\Temp\612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe
"C:\Users\Admin\AppData\Local\Temp\612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe
  "C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe"
    3⤵
    - Executes dropped EXE
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\612094e1ef1469330d6caf115e1072b5b9d308f9e0a7501cc7168bad9f829438.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:1668
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe

Filesize
330KB

MD5
a9642843de49fe7356d6f66114e6a7db

SHA1
0968d40b9de981719cb4af12c0b3f6fd831ddf9f

SHA256
1b4abee0de5b28df057f8da4c8fb2bb16e528f298565a79eb42b2ea3c5168466

SHA512
a937aca1848c6815208ab687623693ee47f21e0e47126d188e839ddf2656e3b56534783d8732b4fd29ee8ced480225df996ee7e628ecdb84ea235fe6a6c81927

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe

Filesize
330KB

MD5
a9642843de49fe7356d6f66114e6a7db

SHA1
0968d40b9de981719cb4af12c0b3f6fd831ddf9f

SHA256
1b4abee0de5b28df057f8da4c8fb2bb16e528f298565a79eb42b2ea3c5168466

SHA512
a937aca1848c6815208ab687623693ee47f21e0e47126d188e839ddf2656e3b56534783d8732b4fd29ee8ced480225df996ee7e628ecdb84ea235fe6a6c81927

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe

Filesize
330KB

MD5
a9642843de49fe7356d6f66114e6a7db

SHA1
0968d40b9de981719cb4af12c0b3f6fd831ddf9f

SHA256
1b4abee0de5b28df057f8da4c8fb2bb16e528f298565a79eb42b2ea3c5168466

SHA512
a937aca1848c6815208ab687623693ee47f21e0e47126d188e839ddf2656e3b56534783d8732b4fd29ee8ced480225df996ee7e628ecdb84ea235fe6a6c81927

Download Submit
\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe

Filesize
330KB

MD5
a9642843de49fe7356d6f66114e6a7db

SHA1
0968d40b9de981719cb4af12c0b3f6fd831ddf9f

SHA256
1b4abee0de5b28df057f8da4c8fb2bb16e528f298565a79eb42b2ea3c5168466

SHA512
a937aca1848c6815208ab687623693ee47f21e0e47126d188e839ddf2656e3b56534783d8732b4fd29ee8ced480225df996ee7e628ecdb84ea235fe6a6c81927

Download Submit
\Users\Admin\AppData\Local\Temp\RegisterIEPKEYs.exe

Filesize
330KB

MD5
a9642843de49fe7356d6f66114e6a7db

SHA1
0968d40b9de981719cb4af12c0b3f6fd831ddf9f

SHA256
1b4abee0de5b28df057f8da4c8fb2bb16e528f298565a79eb42b2ea3c5168466

SHA512
a937aca1848c6815208ab687623693ee47f21e0e47126d188e839ddf2656e3b56534783d8732b4fd29ee8ced480225df996ee7e628ecdb84ea235fe6a6c81927

Download Submit
\Users\Admin\AppData\Local\Temp\nst5ED.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/692-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/692-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/692-71-0x000000000041A1F8-mapping.dmp

Download
memory/796-62-0x0000000000000000-mapping.dmp

Download
memory/1668-65-0x0000000000000000-mapping.dmp

Download
memory/1776-68-0x0000000000000000-mapping.dmp

Download
memory/1964-67-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1964-69-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/1964-59-0x0000000000000000-mapping.dmp

Download
memory/1964-73-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2024-66-0x000000000486A000-0x000000000487B000-memory.dmp

Filesize
68KB

Download
memory/2024-54-0x00000000020C0000-0x0000000002134000-memory.dmp

Filesize
464KB

Download
memory/2024-57-0x0000000074E11000-0x0000000074E13000-memory.dmp

Filesize
8KB

Download
memory/2024-56-0x000000000486A000-0x000000000487B000-memory.dmp

Filesize
68KB

Download
memory/2024-55-0x0000000002130000-0x00000000021A2000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing