azorult | 8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648

General

Target

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
Size

2.8MB
MD5

a6b44040c4be7e9f321c0d691041d14a
SHA1

c8e9a0b07eb80326556b13d08be0df77593456e4
SHA256

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648
SHA512

dcdf6555c085d16e47265f56496b6ee459ecbd64207f070155ece317c842c322cad17a480a2d50635f880564f3c4692478e1976ace77f1fa0025224afdb69e2e

Score

10^/10

azorult danabot banker botnet infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://waresustem.live/index.php

Extracted

Family

danabot

C2

111.16.115.107

45.77.40.71

219.38.42.24

36.161.165.12

111.93.37.5

185.25.165.125

95.179.168.37

2.148.32.114

77.80.160.106

81.202.212.201

rsa_pubkey.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Danabot x86 payload 4 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\NFQXZE~1.DLL	family_danabot
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.dll	family_danabot
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.dll	family_danabot

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

63 3652 rundll32.exe
64 3652 rundll32.exe
65 3652 rundll32.exe
66 3652 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exeNfqxzeo9yOcq.exe

pid process

3692 ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
3772 Nfqxzeo9yOcq.exe

flow	pid	process
63	3652	rundll32.exe
64	3652	rundll32.exe
65	3652	rundll32.exe
66	3652	rundll32.exe

pid	process
3692	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
3772	Nfqxzeo9yOcq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

3640 regsvr32.exe
3652 rundll32.exe
3652 rundll32.exe

pid	process
3640	regsvr32.exe
3652	rundll32.exe
3652	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

description	pid	process	target process
PID 5040 set thread context of 1584	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

pid	process
5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

pid	process
5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exeNfqxzeo9yOcq.exeregsvr32.exe

description	pid	process	target process
PID 5040 wrote to memory of 3692	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
PID 5040 wrote to memory of 3692	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
PID 5040 wrote to memory of 3692	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
PID 5040 wrote to memory of 3772	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	Nfqxzeo9yOcq.exe
PID 5040 wrote to memory of 3772	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	Nfqxzeo9yOcq.exe
PID 5040 wrote to memory of 3772	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	Nfqxzeo9yOcq.exe
PID 5040 wrote to memory of 1584	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
PID 5040 wrote to memory of 1584	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
PID 5040 wrote to memory of 1584	5040	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe	8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
PID 3772 wrote to memory of 3640	3772	Nfqxzeo9yOcq.exe	regsvr32.exe
PID 3772 wrote to memory of 3640	3772	Nfqxzeo9yOcq.exe	regsvr32.exe
PID 3772 wrote to memory of 3640	3772	Nfqxzeo9yOcq.exe	regsvr32.exe
PID 3640 wrote to memory of 3652	3640	regsvr32.exe	rundll32.exe
PID 3640 wrote to memory of 3652	3640	regsvr32.exe	rundll32.exe
PID 3640 wrote to memory of 3652	3640	regsvr32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
"C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe
  "C:\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe"
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe
  "C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\NFQXZE~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\NFQXZE~1.EXE@3772
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NFQXZE~1.DLL,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:3652
- C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe
  "C:\Users\Admin\AppData\Local\Temp\8fb660e69bc27c2fe492b68ca49f9d26f7a7df09f9e88fed1bcbada3ae156648.exe"
  2⤵
  PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe

Filesize
559KB

MD5
fa8edc2ec2f2ae2e5781bb4b2fabfd34

SHA1
0ef3f817067001ef2481087b4d135db00f5664b2

SHA256
07b673a42c9cee621f7a9d2bf9bf12666a391a0a1cf8ecb937b67f10bbab0ced

SHA512
dafd29563a2fb7366a28b705ec300d0068f7d2010b574f45a9dbea2730acac361842bebb9fbfbd5fba2b1310a474ddd3ec8fce4e627fb47f7fc4c2ec12e6a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILe85KZ5OM6293oOdFis8Ka3YImsHX8.exe

Filesize
559KB

MD5
fa8edc2ec2f2ae2e5781bb4b2fabfd34

SHA1
0ef3f817067001ef2481087b4d135db00f5664b2

SHA256
07b673a42c9cee621f7a9d2bf9bf12666a391a0a1cf8ecb937b67f10bbab0ced

SHA512
dafd29563a2fb7366a28b705ec300d0068f7d2010b574f45a9dbea2730acac361842bebb9fbfbd5fba2b1310a474ddd3ec8fce4e627fb47f7fc4c2ec12e6a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NFQXZE~1.DLL

Filesize
1.4MB

MD5
14cc887c0e1335018a07638ea294b218

SHA1
ce114b8757cf68cb10b438cc941c20ce00ad5852

SHA256
85743f9692fc23b3c0bbde4261e3c77193e66ade7953461c69266b1388156e53

SHA512
64536e7d28db9d429c42d9d5b366ed6c25fed546444475ca4963f3b15fcad0aaef988461d52dca22e7d0ac5ab44f3a5ba8a9304851058df6256b6793c9211c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.dll

Filesize
1.4MB

MD5
14cc887c0e1335018a07638ea294b218

SHA1
ce114b8757cf68cb10b438cc941c20ce00ad5852

SHA256
85743f9692fc23b3c0bbde4261e3c77193e66ade7953461c69266b1388156e53

SHA512
64536e7d28db9d429c42d9d5b366ed6c25fed546444475ca4963f3b15fcad0aaef988461d52dca22e7d0ac5ab44f3a5ba8a9304851058df6256b6793c9211c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.dll

Filesize
1.4MB

MD5
14cc887c0e1335018a07638ea294b218

SHA1
ce114b8757cf68cb10b438cc941c20ce00ad5852

SHA256
85743f9692fc23b3c0bbde4261e3c77193e66ade7953461c69266b1388156e53

SHA512
64536e7d28db9d429c42d9d5b366ed6c25fed546444475ca4963f3b15fcad0aaef988461d52dca22e7d0ac5ab44f3a5ba8a9304851058df6256b6793c9211c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.dll

Filesize
1.4MB

MD5
14cc887c0e1335018a07638ea294b218

SHA1
ce114b8757cf68cb10b438cc941c20ce00ad5852

SHA256
85743f9692fc23b3c0bbde4261e3c77193e66ade7953461c69266b1388156e53

SHA512
64536e7d28db9d429c42d9d5b366ed6c25fed546444475ca4963f3b15fcad0aaef988461d52dca22e7d0ac5ab44f3a5ba8a9304851058df6256b6793c9211c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe

Filesize
1.5MB

MD5
d2d307ad8b319817259183fbcd1c0b38

SHA1
1d3654c2293e4e0b9da1ca8dcd54dbad061af7ec

SHA256
859afc3448f5f87a236c32b06f8c82e07919479e7ff5095bacf646dbaf1abe6f

SHA512
0020e554bb274b7161eda0c60d8c2b4e21f8cc428fddb3e012e13c421802f870cc42e82d0791b5124afadbaa93a721fa23af351c14314ada7debb8f2ceec52b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nfqxzeo9yOcq.exe

Filesize
1.5MB

MD5
d2d307ad8b319817259183fbcd1c0b38

SHA1
1d3654c2293e4e0b9da1ca8dcd54dbad061af7ec

SHA256
859afc3448f5f87a236c32b06f8c82e07919479e7ff5095bacf646dbaf1abe6f

SHA512
0020e554bb274b7161eda0c60d8c2b4e21f8cc428fddb3e012e13c421802f870cc42e82d0791b5124afadbaa93a721fa23af351c14314ada7debb8f2ceec52b5

Download Submit
memory/1584-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1584-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1584-135-0x0000000000000000-mapping.dmp

Download
memory/3640-139-0x0000000000000000-mapping.dmp

Download
memory/3652-142-0x0000000000000000-mapping.dmp

Download
memory/3652-145-0x00000000020D0000-0x0000000002240000-memory.dmp

Filesize
1.4MB

Download
memory/3692-130-0x0000000000000000-mapping.dmp

Download
memory/3772-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads