azorult | 61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

General

Target

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
Size

787KB
MD5

c952cfb9862d58fde136954569e1a972
SHA1

5819ab482ec5bb0a077617e262bc9bf100294830
SHA256

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5
SHA512

f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://uzoma.ru/db2/3.3/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

sdhbhjsdhsd.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid process

1652 sdhbhjsdhsd.exe
572 sdhbhjsdhsd.exe
2008 sdhbhjsdhsd.exe
Deletes itself 1 IoCs

Processes:

sdhbhjsdhsd.exe

pid process

1652 sdhbhjsdhsd.exe

pid	process
1652	sdhbhjsdhsd.exe
572	sdhbhjsdhsd.exe
2008	sdhbhjsdhsd.exe

pid	process
1652	sdhbhjsdhsd.exe

Loads dropped DLL 3 IoCs

Processes:

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe

pid	process
1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

sdhbhjsdhsd.exe

description pid process target process

PID 572 set thread context of 2008 572 sdhbhjsdhsd.exe sdhbhjsdhsd.exe

description	pid	process	target process
PID 572 set thread context of 2008	572	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

NTFS ADS 1 IoCs

Processes:

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe:ZoneIdentifier	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid process

1668 61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
572 sdhbhjsdhsd.exe
1652 sdhbhjsdhsd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sdhbhjsdhsd.exe

pid process

572 sdhbhjsdhsd.exe
572 sdhbhjsdhsd.exe

pid	process
572	sdhbhjsdhsd.exe
572	sdhbhjsdhsd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exesdhbhjsdhsd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1652	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 1652	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 1652	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 1652	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 572	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 572	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 572	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 572	1668	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 572 wrote to memory of 2008	572	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 572 wrote to memory of 2008	572	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 572 wrote to memory of 2008	572	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 572 wrote to memory of 2008	572	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

C:\Users\Admin\AppData\Local\Temp\61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
"C:\Users\Admin\AppData\Local\Temp\61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe"
1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe" 1 "C:\Users\Admin\AppData\Local\Temp\61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe" 6C6327
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
    "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
    3⤵
    - Executes dropped EXE
    PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
memory/572-61-0x0000000000000000-mapping.dmp

Download
memory/572-65-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1652-57-0x0000000000000000-mapping.dmp

Download
memory/1652-66-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1668-54-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1668-59-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2008-68-0x000000000041A1F8-mapping.dmp

Download
memory/2008-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2008-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads