azorult | e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7

General

Target

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe
Size

764KB
MD5

98a3c6b6fbcb74e61ae91b97c1a51a00
SHA1

cc477b76ab7beb0e4014122b45626dc67ff2a077
SHA256

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7
SHA512

2dc4501cb0a0f5bee4e1e5b67e00e4204ad6db09128b78dba28c78ffe6a49f50daa4b7120c1cf96141f01d81390fdfa58d738ea54f2fe4a257a589f1ff66f5eb

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

2CVXGH~1.EXE2CVXGH~1.EXE

pid process

1728 2CVXGH~1.EXE
2000 2CVXGH~1.EXE
Loads dropped DLL 1 IoCs

Processes:

2CVXGH~1.EXE

pid process

1728 2CVXGH~1.EXE

pid	process
1728	2CVXGH~1.EXE
2000	2CVXGH~1.EXE

pid	process
1728	2CVXGH~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

2CVXGH~1.EXE2CVXGH~1.EXE

pid process

1728 2CVXGH~1.EXE
2000 2CVXGH~1.EXE
2000 2CVXGH~1.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

2CVXGH~1.EXE

description pid process target process

PID 1728 set thread context of 2000 1728 2CVXGH~1.EXE 2CVXGH~1.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2CVXGH~1.EXE

pid process

1728 2CVXGH~1.EXE

pid	process
1728	2CVXGH~1.EXE
2000	2CVXGH~1.EXE
2000	2CVXGH~1.EXE

description	pid	process	target process
PID 1728 set thread context of 2000	1728	2CVXGH~1.EXE	2CVXGH~1.EXE

pid	process
1728	2CVXGH~1.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe2CVXGH~1.EXE

description	pid	process	target process
PID 1064 wrote to memory of 1728	1064	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe	2CVXGH~1.EXE
PID 1064 wrote to memory of 1728	1064	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe	2CVXGH~1.EXE
PID 1064 wrote to memory of 1728	1064	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe	2CVXGH~1.EXE
PID 1064 wrote to memory of 1728	1064	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe	2CVXGH~1.EXE
PID 1728 wrote to memory of 2000	1728	2CVXGH~1.EXE	2CVXGH~1.EXE
PID 1728 wrote to memory of 2000	1728	2CVXGH~1.EXE	2CVXGH~1.EXE
PID 1728 wrote to memory of 2000	1728	2CVXGH~1.EXE	2CVXGH~1.EXE
PID 1728 wrote to memory of 2000	1728	2CVXGH~1.EXE	2CVXGH~1.EXE

C:\Users\Admin\AppData\Local\Temp\e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe
"C:\Users\Admin\AppData\Local\Temp\e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE

Filesize
1.4MB

MD5
886ec95d144101c766bee3cfc837c62a

SHA1
8e5e693219fc2944c9a23535c38f50c5bcc80676

SHA256
1a11813932a369629493f86cdd603d8a821301adde77fd998e4c57aecc031e3e

SHA512
28bf5e5287ebc4fc7f992276225c998d0a848dfd4e166f024189a28b3620d31baf0068105d63f0eb61748ca81ec6b19b17f692c923f212ddbb13e44d19b9a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE

Filesize
1.1MB

MD5
3ff2d59478097a20260eb6a2e4f9ed7c

SHA1
130936a78584829991add296654965b3c743873a

SHA256
d142fa3c3ed861e4815d6c526e53e5e80ef141ee6707fe9936b0489fdcef262b

SHA512
d55342e02d46beb4d886d29a4ae98c15e97d80a5d402d7c88b9bca206e802f7583b6bd80737135c990d7ea5ce2094cf9523528f2d8cedc72546bca397cc8b052

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE

Filesize
1.2MB

MD5
e8e09bca0798f9d933ced0b373f1a31b

SHA1
31a7ef9f8a66c0312e606cb90823e890d03d1f8b

SHA256
6eba205da55550387564a9efdca0e9fd4c4b209410795905dcc46ec7e82d33ed

SHA512
29e1b576a3128286a08a0175f69fc3c83321c4d6b274320736abbc21b74ed31046e95a6277eb3b47d9a93d312392d90b5ed8cecd68af93b7dd606b4d7aad040f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE

Filesize
1.9MB

MD5
d529a0f0329d889b7ccf09dad080a7c5

SHA1
0e0aaab2177bf9fa9e86f8e3d2c3d4f8b54d0b8c

SHA256
5ab410a41f003370e2d18fe1b8a21aeb2e763f0109ee43746d05ce0f3968c0ba

SHA512
451a18ad3e3882c0d3b7431b8303f0efa3436d13c8f97cbbfff2a8fcf84bfcc0df239998a82ecce70edaa1afdc17aaeb0406927f56fa2c7ba5fe076e7f230b38

Download Submit
memory/1064-54-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1728-62-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/1728-63-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/1728-68-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/1728-59-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/1728-69-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/1728-60-0x00000000749D1000-0x00000000749D3000-memory.dmp

Filesize
8KB

Download
memory/1728-55-0x0000000000000000-mapping.dmp

Download
memory/2000-66-0x000000000046F775-mapping.dmp

Download
memory/2000-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2000-72-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2000-78-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/2000-79-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download
memory/2000-80-0x0000000000220000-0x000000000022E000-memory.dmp

Filesize
56KB

Download
memory/2000-81-0x0000000076EA0000-0x0000000077020000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing