azorult | f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

General

Target

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
Size

294KB
MD5

a0e3b3cde4257e36a6f9c1ad30954b41
SHA1

fde540bd802143b4876ea346e5604936f62d4a93
SHA256

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895
SHA512

626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

C2

http://uzoma.ru/db2/3.3/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

sdhbhjsdhsd.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid process

1504 sdhbhjsdhsd.exe
1540 sdhbhjsdhsd.exe
1464 sdhbhjsdhsd.exe

pid	process
1504	sdhbhjsdhsd.exe
1540	sdhbhjsdhsd.exe
1464	sdhbhjsdhsd.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1992-54-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/1992-55-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/1992-56-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
behavioral1/memory/1992-65-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
behavioral1/memory/1504-66-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/1540-67-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/1504-68-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/1540-70-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/1504-72-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral1/memory/1540-73-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx

Deletes itself 1 IoCs

Processes:

sdhbhjsdhsd.exe

pid process

1504 sdhbhjsdhsd.exe

pid	process
1504	sdhbhjsdhsd.exe

Loads dropped DLL 3 IoCs

Processes:

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe

pid	process
1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sdhbhjsdhsd.exe

description pid process target process

PID 1540 set thread context of 1464 1540 sdhbhjsdhsd.exe sdhbhjsdhsd.exe

description	pid	process	target process
PID 1540 set thread context of 1464	1540	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

NTFS ADS 1 IoCs

Processes:

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe:ZoneIdentifier	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid process

1992 f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
1504 sdhbhjsdhsd.exe
1540 sdhbhjsdhsd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sdhbhjsdhsd.exe

pid process

1540 sdhbhjsdhsd.exe
1540 sdhbhjsdhsd.exe

pid	process
1540	sdhbhjsdhsd.exe
1540	sdhbhjsdhsd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exesdhbhjsdhsd.exe

description	pid	process	target process
PID 1992 wrote to memory of 1504	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1992 wrote to memory of 1504	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1992 wrote to memory of 1504	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1992 wrote to memory of 1504	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1992 wrote to memory of 1540	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1992 wrote to memory of 1540	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1992 wrote to memory of 1540	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1992 wrote to memory of 1540	1992	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 1540 wrote to memory of 1464	1540	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 1540 wrote to memory of 1464	1540	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 1540 wrote to memory of 1464	1540	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 1540 wrote to memory of 1464	1540	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

C:\Users\Admin\AppData\Local\Temp\f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
"C:\Users\Admin\AppData\Local\Temp\f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe" 1 "C:\Users\Admin\AppData\Local\Temp\f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe" 6C64CC
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  PID:1504
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
    "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
    3⤵
    - Executes dropped EXE
    PID:1464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
memory/1464-75-0x000000000041A1F8-mapping.dmp

Download
memory/1464-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1464-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1464-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1504-66-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1504-68-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1504-72-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1504-60-0x0000000000000000-mapping.dmp

Download
memory/1540-63-0x0000000000000000-mapping.dmp

Download
memory/1540-67-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1540-70-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1540-73-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1992-57-0x0000000076291000-0x0000000076293000-memory.dmp

Filesize
8KB

Download
memory/1992-55-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1992-56-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1992-54-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1992-65-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads