azorult | 8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648

General

Target

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
Size

2.8MB
MD5

a6b44040c4be7e9f321c0d691041d14a
SHA1

c8e9a0b07eb80326556b13d08be0df77593456e4
SHA256

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648
SHA512

dcdf6555c085d16e47265f56496b6ee459ecbd64207f070155ece317c842c322cad17a480a2d50635f880564f3c4692478e1976ace77f1fa0025224afdb69e2e

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://waresustem.live/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exeNfqxzeo9yOcq.exe

pid process

1112 ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
1724 Nfqxzeo9yOcq.exe

pid	process
1112	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
1724	Nfqxzeo9yOcq.exe

Loads dropped DLL 4 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

pid	process
1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

description	pid	process	target process
PID 1940 set thread context of 1032	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

pid process

1940 8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

pid	process
1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

description	pid	process	target process
PID 1940 wrote to memory of 1112	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
PID 1940 wrote to memory of 1112	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
PID 1940 wrote to memory of 1112	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
PID 1940 wrote to memory of 1112	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
PID 1940 wrote to memory of 1724	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	Nfqxzeo9yOcq.exe
PID 1940 wrote to memory of 1724	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	Nfqxzeo9yOcq.exe
PID 1940 wrote to memory of 1724	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	Nfqxzeo9yOcq.exe
PID 1940 wrote to memory of 1724	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	Nfqxzeo9yOcq.exe
PID 1940 wrote to memory of 1032	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
PID 1940 wrote to memory of 1032	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
PID 1940 wrote to memory of 1032	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
PID 1940 wrote to memory of 1032	1940	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
"C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
  "C:\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe"
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe
  "C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe"
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
  "C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe"
  2⤵
  PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe

Filesize
559KB

MD5
fa8edc2ec2f2ae2e5781bb4b2fabfd34

SHA1
0ef3f817067001ef2481087b4d135db00f5664b2

SHA256
07b673a42c9cee621f7a9d2bf9bf12666a391a0a1cf8ecb937b67f10bbab0ced

SHA512
dafd29563a2fb7366a28b705ec300d0068f7d2010b574f45a9dbea2730acac361842bebb9fbfbd5fba2b1310a474ddd3ec8fce4e627fb47f7fc4c2ec12e6a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe

Filesize
1.5MB

MD5
d2d307ad8b319817259183fbcd1c0b38

SHA1
1d3654c2293e4e0b9da1ca8dcd54dbad061af7ec

SHA256
859afc3448f5f87a236c32b06f8c82e07919479e7ff5095bacf646dbaf1abe6f

SHA512
0020e554bb274b7161eda0c60d8c2b4e21f8cc428fddb3e012e13c421802f870cc42e82d0791b5124afadbaa93a721fa23af351c14314ada7debb8f2ceec52b5

Download Submit
\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe

Filesize
559KB

MD5
fa8edc2ec2f2ae2e5781bb4b2fabfd34

SHA1
0ef3f817067001ef2481087b4d135db00f5664b2

SHA256
07b673a42c9cee621f7a9d2bf9bf12666a391a0a1cf8ecb937b67f10bbab0ced

SHA512
dafd29563a2fb7366a28b705ec300d0068f7d2010b574f45a9dbea2730acac361842bebb9fbfbd5fba2b1310a474ddd3ec8fce4e627fb47f7fc4c2ec12e6a3cd

Download Submit
\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe

Filesize
559KB

MD5
fa8edc2ec2f2ae2e5781bb4b2fabfd34

SHA1
0ef3f817067001ef2481087b4d135db00f5664b2

SHA256
07b673a42c9cee621f7a9d2bf9bf12666a391a0a1cf8ecb937b67f10bbab0ced

SHA512
dafd29563a2fb7366a28b705ec300d0068f7d2010b574f45a9dbea2730acac361842bebb9fbfbd5fba2b1310a474ddd3ec8fce4e627fb47f7fc4c2ec12e6a3cd

Download Submit
\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe

Filesize
1.5MB

MD5
d2d307ad8b319817259183fbcd1c0b38

SHA1
1d3654c2293e4e0b9da1ca8dcd54dbad061af7ec

SHA256
859afc3448f5f87a236c32b06f8c82e07919479e7ff5095bacf646dbaf1abe6f

SHA512
0020e554bb274b7161eda0c60d8c2b4e21f8cc428fddb3e012e13c421802f870cc42e82d0791b5124afadbaa93a721fa23af351c14314ada7debb8f2ceec52b5

Download Submit
\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe

Filesize
1.5MB

MD5
d2d307ad8b319817259183fbcd1c0b38

SHA1
1d3654c2293e4e0b9da1ca8dcd54dbad061af7ec

SHA256
859afc3448f5f87a236c32b06f8c82e07919479e7ff5095bacf646dbaf1abe6f

SHA512
0020e554bb274b7161eda0c60d8c2b4e21f8cc428fddb3e012e13c421802f870cc42e82d0791b5124afadbaa93a721fa23af351c14314ada7debb8f2ceec52b5

Download Submit
memory/1032-62-0x000000000041A684-mapping.dmp

Download
memory/1032-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1112-57-0x0000000000000000-mapping.dmp

Download
memory/1724-61-0x0000000000000000-mapping.dmp

Download
memory/1940-54-0x00000000762A1000-0x00000000762A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads