azorult | 60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b

General

Target

60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe
Size

3.3MB
MD5

fb46fcac2d17b14c30e8d68a0f0a0023
SHA1

2e1d44ac241843f02b7b190902928e1acce27d4c
SHA256

60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b
SHA512

e6e7ed6be686a0ef9a6d1e6f930a88260fd8c27cf06aea51934efc027bec75d2066b7ab8b95b9ed8f7a6cf0bd98cbe7a3a15e87c9cf464ac404b3d04196f9dfb

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://licilucapiluca.rocks/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

busshost.exeYTLoader.exe

pid process

2768 busshost.exe
616 YTLoader.exe

pid	process
2768	busshost.exe
616	YTLoader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

Processes:

60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\LetsSee!\YTLoader.exe	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\busshost.exe	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe
File opened for modification	C:\Program Files (x86)\LetsSee!\Uninstall.exe	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe
File created	C:\Program Files (x86)\LetsSee!\Uninstall.ini	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4340 616 WerFault.exe YTLoader.exe

pid	pid_target	process	target process
4340	616	WerFault.exe	YTLoader.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	YTLoader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

YTLoader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	YTLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	YTLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

YTLoader.exe

description pid process

Token: SeDebugPrivilege 616 YTLoader.exe

description	pid	process
Token: SeDebugPrivilege	616	YTLoader.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe

description	pid	process	target process
PID 4508 wrote to memory of 2768	4508	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe	busshost.exe
PID 4508 wrote to memory of 2768	4508	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe	busshost.exe
PID 4508 wrote to memory of 2768	4508	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe	busshost.exe
PID 4508 wrote to memory of 616	4508	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe	YTLoader.exe
PID 4508 wrote to memory of 616	4508	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe	YTLoader.exe
PID 4508 wrote to memory of 616	4508	60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe	YTLoader.exe

C:\Users\Admin\AppData\Local\Temp\60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe
"C:\Users\Admin\AppData\Local\Temp\60187f056167cf2f951a8a9302e312ff9e83cafbf6ae7d436e3db1646b8b092b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Program Files (x86)\LetsSee!\busshost.exe
  "C:\Program Files (x86)\LetsSee!\busshost.exe"
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Program Files (x86)\LetsSee!\YTLoader.exe
  "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 616 -s 1616
    3⤵
    - Program crash
    PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 616 -ip 616
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\YTLoader.exe

Filesize
3.0MB

MD5
c53d2de8becdaf58caba89a297455c65

SHA1
c60da079393025e63475683375e0a045cefa3473

SHA256
7d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272

SHA512
a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878

Download Submit
C:\Program Files (x86)\LetsSee!\busshost.exe

Filesize
406KB

MD5
d6422d74934d39845e107a25e16a2146

SHA1
87b7bb22fd16e36ed34476b8660af1f8b831a76b

SHA256
9b664cd4a3de25b2b3955b5984cd5f191cb364e0b25c53e01712f4c59fa48bf4

SHA512
baa642e5143f8bea715a35da98e0421ea0efcb5175407965f135fb7af134788528af3e6ecff02231901bf40f7e52e4b6174f529a823200d560598349f894e5f1

Download Submit
C:\Program Files (x86)\LetsSee!\busshost.exe

Filesize
406KB

MD5
d6422d74934d39845e107a25e16a2146

SHA1
87b7bb22fd16e36ed34476b8660af1f8b831a76b

SHA256
9b664cd4a3de25b2b3955b5984cd5f191cb364e0b25c53e01712f4c59fa48bf4

SHA512
baa642e5143f8bea715a35da98e0421ea0efcb5175407965f135fb7af134788528af3e6ecff02231901bf40f7e52e4b6174f529a823200d560598349f894e5f1

Download Submit
memory/616-144-0x00000000050B0000-0x00000000050B8000-memory.dmp

Filesize
32KB

Download
memory/616-147-0x0000000005800000-0x0000000005808000-memory.dmp

Filesize
32KB

Download
memory/616-135-0x0000000000000000-mapping.dmp

Download
memory/616-140-0x0000000005060000-0x000000000506A000-memory.dmp

Filesize
40KB

Download
memory/616-138-0x0000000000240000-0x0000000000548000-memory.dmp

Filesize
3.0MB

Download
memory/616-141-0x0000000005070000-0x0000000005078000-memory.dmp

Filesize
32KB

Download
memory/616-142-0x0000000005090000-0x0000000005098000-memory.dmp

Filesize
32KB

Download
memory/616-143-0x00000000050A0000-0x00000000050A8000-memory.dmp

Filesize
32KB

Download
memory/616-146-0x00000000057F0000-0x00000000057F8000-memory.dmp

Filesize
32KB

Download
memory/616-145-0x00000000057E0000-0x00000000057E8000-memory.dmp

Filesize
32KB

Download
memory/2768-134-0x0000000000C88000-0x0000000000C99000-memory.dmp

Filesize
68KB

Download
memory/2768-130-0x0000000000000000-mapping.dmp

Download
memory/2768-139-0x0000000000400000-0x0000000000943000-memory.dmp

Filesize
5.3MB

Download
memory/2768-133-0x0000000000C88000-0x0000000000C99000-memory.dmp

Filesize
68KB

Download
memory/2768-148-0x0000000000C88000-0x0000000000C99000-memory.dmp

Filesize
68KB

Download
memory/2768-149-0x0000000000400000-0x0000000000943000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads