azorult | 61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

General

Target

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
Size

787KB
MD5

c952cfb9862d58fde136954569e1a972
SHA1

5819ab482ec5bb0a077617e262bc9bf100294830
SHA256

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5
SHA512

f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://uzoma.ru/db2/3.3/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

sdhbhjsdhsd.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid process

2456 sdhbhjsdhsd.exe
1668 sdhbhjsdhsd.exe
3048 sdhbhjsdhsd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

sdhbhjsdhsd.exe

description pid process target process

PID 1668 set thread context of 3048 1668 sdhbhjsdhsd.exe sdhbhjsdhsd.exe

pid	process
2456	sdhbhjsdhsd.exe
1668	sdhbhjsdhsd.exe
3048	sdhbhjsdhsd.exe

description	pid	process	target process
PID 1668 set thread context of 3048	1668	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

NTFS ADS 1 IoCs

Processes:

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe:ZoneIdentifier	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exesdhbhjsdhsd.exesdhbhjsdhsd.exe

pid	process
1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
2456	sdhbhjsdhsd.exe
2456	sdhbhjsdhsd.exe
1668	sdhbhjsdhsd.exe
1668	sdhbhjsdhsd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

sdhbhjsdhsd.exe

pid process

1668 sdhbhjsdhsd.exe
1668 sdhbhjsdhsd.exe

pid	process
1668	sdhbhjsdhsd.exe
1668	sdhbhjsdhsd.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exesdhbhjsdhsd.exe

description	pid	process	target process
PID 1652 wrote to memory of 2456	1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1652 wrote to memory of 2456	1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1652 wrote to memory of 2456	1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1652 wrote to memory of 1668	1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1652 wrote to memory of 1668	1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1652 wrote to memory of 1668	1652	61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 3048	1668	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 3048	1668	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe
PID 1668 wrote to memory of 3048	1668	sdhbhjsdhsd.exe	sdhbhjsdhsd.exe

C:\Users\Admin\AppData\Local\Temp\61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe
"C:\Users\Admin\AppData\Local\Temp\61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe" 1 "C:\Users\Admin\AppData\Local\Temp\61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5.exe" E573623
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2456
- C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
  "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe
    "C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe"
    3⤵
    - Executes dropped EXE
    PID:3048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
C:\Users\Admin\AppData\Roaming\dndnks\sdhbhjsdhsd.exe

Filesize
787KB

MD5
c952cfb9862d58fde136954569e1a972

SHA1
5819ab482ec5bb0a077617e262bc9bf100294830

SHA256
61305e9bf5a8551a94b407e579797b590b5c8ea1e78a3936f2dbc76dacfe32a5

SHA512
f480d4f7c01fe34d194b3d3f1f67b69e8d738bd3f1e99a742280f561807e386a4bd9ceed08c926250c27e3e22c1494ef3c416458a05ed25119189c4307af1b0e

Download Submit
memory/1652-130-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1668-133-0x0000000000000000-mapping.dmp

Download
memory/1668-137-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2456-131-0x0000000000000000-mapping.dmp

Download
memory/2456-136-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3048-138-0x0000000000000000-mapping.dmp

Download
memory/3048-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads