azorult | e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7

General

Target

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe
Size

764KB
MD5

98a3c6b6fbcb74e61ae91b97c1a51a00
SHA1

cc477b76ab7beb0e4014122b45626dc67ff2a077
SHA256

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7
SHA512

2dc4501cb0a0f5bee4e1e5b67e00e4204ad6db09128b78dba28c78ffe6a49f50daa4b7120c1cf96141f01d81390fdfa58d738ea54f2fe4a257a589f1ff66f5eb

Score

10^/10

azorult infostealer persistence trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

2CVXGH~1.EXE2CVXGH~1.EXE

pid process

3524 2CVXGH~1.EXE
4256 2CVXGH~1.EXE

pid	process
3524	2CVXGH~1.EXE
4256	2CVXGH~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

2CVXGH~1.EXE2CVXGH~1.EXE

pid process

3524 2CVXGH~1.EXE
4256 2CVXGH~1.EXE
4256 2CVXGH~1.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

2CVXGH~1.EXE

description pid process target process

PID 3524 set thread context of 4256 3524 2CVXGH~1.EXE 2CVXGH~1.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2CVXGH~1.EXE

pid process

3524 2CVXGH~1.EXE

pid	process
3524	2CVXGH~1.EXE
4256	2CVXGH~1.EXE
4256	2CVXGH~1.EXE

description	pid	process	target process
PID 3524 set thread context of 4256	3524	2CVXGH~1.EXE	2CVXGH~1.EXE

pid	process
3524	2CVXGH~1.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe2CVXGH~1.EXE

description	pid	process	target process
PID 4572 wrote to memory of 3524	4572	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe	2CVXGH~1.EXE
PID 4572 wrote to memory of 3524	4572	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe	2CVXGH~1.EXE
PID 4572 wrote to memory of 3524	4572	e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe	2CVXGH~1.EXE
PID 3524 wrote to memory of 4256	3524	2CVXGH~1.EXE	2CVXGH~1.EXE
PID 3524 wrote to memory of 4256	3524	2CVXGH~1.EXE	2CVXGH~1.EXE
PID 3524 wrote to memory of 4256	3524	2CVXGH~1.EXE	2CVXGH~1.EXE

C:\Users\Admin\AppData\Local\Temp\e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe
"C:\Users\Admin\AppData\Local\Temp\e5c4c30e0ba56d80385009ce8d1fdbca75a9d9641d4b58cd7c4b75ec5a6295d7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE

Filesize
8.4MB

MD5
f5ece5a5ef7d90c814b57ebd25ba623d

SHA1
80549a8e114ef424f926cf474f59b68b93caff8d

SHA256
b1b796fc1e8bbe1ac66b1b97dea0cc39e33490e33aef68bde0a332682718552a

SHA512
2c9db77a0006b1520ebb1d2419575b42f73dfa178a8d7eaa87adf97369faee9ffc1aa60d7223afa103776c5ea785d29d0da446fc70d295db07f54904001351be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE

Filesize
8.5MB

MD5
b4c01378771f8e2f3545ac211dcef10d

SHA1
c83fda4f4f5c9fec20b7e760ff7a2cf94abb3242

SHA256
e8f4a4bd19c254bd393b20e4b59bbfd12725031e574de25b71899ba37f212535

SHA512
614697a4a34a5424ecf418e593f28c40b58230177fbea88244f865d83bef17f7990fb7fb21ca5394a6a900ae4eeb863aa85e3b4d88debe8acb91b2edccef6ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2CVXGH~1.EXE

Filesize
1.3MB

MD5
35e57568e6c69670342246181514dac2

SHA1
c3d583f12c63da6e1d44e3b16597bf48dc81c4c8

SHA256
aaa953c90c35131b605cc2378607803e8a18ff621dc34bce4e8fcda6a82e6d43

SHA512
c5d5d038cb142d9519e11ccb1b8eeb5e2657b39a9a03b561ffa9c28481b57942dd9b662861a7918a2e084e1bb78b2f4488debf7c7dbcadea5489cafd96724229

Download Submit
memory/3524-140-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download
memory/3524-130-0x0000000000000000-mapping.dmp

Download
memory/3524-135-0x0000000002260000-0x000000000226E000-memory.dmp

Filesize
56KB

Download
memory/3524-139-0x00007FFC8FCD0000-0x00007FFC8FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/3524-138-0x0000000002260000-0x000000000226E000-memory.dmp

Filesize
56KB

Download
memory/4256-142-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download
memory/4256-141-0x00007FFC8FCD0000-0x00007FFC8FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/4256-136-0x0000000000000000-mapping.dmp

Download
memory/4256-144-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4256-143-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4256-149-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/4256-150-0x0000000000061000-0x000000000007E000-memory.dmp

Filesize
116KB

Download
memory/4256-151-0x00000000005B0000-0x00000000005BE000-memory.dmp

Filesize
56KB

Download
memory/4256-153-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download
memory/4256-152-0x00007FFC8FCD0000-0x00007FFC8FEC5000-memory.dmp

Filesize
2.0MB

Download
memory/4256-154-0x0000000077BC0000-0x0000000077D63000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing