azorult | f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

General

Target

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
Size

294KB
MD5

a0e3b3cde4257e36a6f9c1ad30954b41
SHA1

fde540bd802143b4876ea346e5604936f62d4a93
SHA256

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895
SHA512

626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

C2

http://uzoma.ru/db2/3.3/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

sdhbhjsdhsd.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid process

4744 sdhbhjsdhsd.exe
2152 sdhbhjsdhsd.exe
3468 sdhbhjsdhsd.exe

pid	process
4744	sdhbhjsdhsd.exe
2152	sdhbhjsdhsd.exe
3468	sdhbhjsdhsd.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2260-132-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/2260-133-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/2260-134-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/2260-135-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx
behavioral2/memory/4744-141-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/2152-142-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/4744-143-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/4744-144-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/2152-145-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
behavioral2/memory/2152-146-0x0000000000400000-0x00000000004D1000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

sdhbhjsdhsd.exe

description pid process target process

PID 2152 set thread context of 3468 2152 sdhbhjsdhsd.exe sdhbhjsdhsd.exe

description	pid	process	target process
PID 2152 set thread context of 3468	2152	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

NTFS ADS 1 IoCs

Processes:

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe:ZoneIdentifier	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid	process
2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
4744	sdhbhjsdhsd.exe
4744	sdhbhjsdhsd.exe
2152	sdhbhjsdhsd.exe
2152	sdhbhjsdhsd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sdhbhjsdhsd.exe

pid process

2152 sdhbhjsdhsd.exe
2152 sdhbhjsdhsd.exe

pid	process
2152	sdhbhjsdhsd.exe
2152	sdhbhjsdhsd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exesdhbhjsdhsd.exe

description	pid	process	target process
PID 2260 wrote to memory of 4744	2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 2260 wrote to memory of 4744	2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 2260 wrote to memory of 4744	2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 2260 wrote to memory of 2152	2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 2260 wrote to memory of 2152	2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 2260 wrote to memory of 2152	2260	f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe	sdhbhjsdhsd.exe
PID 2152 wrote to memory of 3468	2152	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 2152 wrote to memory of 3468	2152	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 2152 wrote to memory of 3468	2152	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

C:\Users\Admin\AppData\Local\Temp\f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe
"C:\Users\Admin\AppData\Local\Temp\f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe" 1 "C:\Users\Admin\AppData\Local\Temp\f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895.exe" E58630A
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
    "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
    3⤵
    - Executes dropped EXE
    PID:3468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
294KB

MD5
a0e3b3cde4257e36a6f9c1ad30954b41

SHA1
fde540bd802143b4876ea346e5604936f62d4a93

SHA256
f168aeb37f55586709411c882ce34166905cf469c92d5535ea2c3fa5f24fc895

SHA512
626cdf5a79190800d4afbd74e754cd085e62946dea42c5dcc49d37f1a4fef1d7d0a1098bd7b48e8550e71baf5f8f279cb54dc7c3b3c4d18967482debec585470

Download Submit
memory/2152-142-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2152-145-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2152-146-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2152-139-0x0000000000000000-mapping.dmp

Download
memory/2260-134-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2260-132-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2260-135-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2260-133-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3468-147-0x0000000000000000-mapping.dmp

Download
memory/3468-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3468-150-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3468-151-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4744-141-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4744-143-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4744-144-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/4744-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads