azorult | 59833bdf99c6e94235e386ce20c12647010e7de9a74356588b27a7e5fe4710ad

Analysis

max time kernel
93s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2022 15:29

Target

appicon.ps1
Size

3.5MB
MD5

7e8b01de67c0391da2dd1997b8e2f649
SHA1

70233d718878b78b32945e8f30cc4bb111542c85
SHA256

59833bdf99c6e94235e386ce20c12647010e7de9a74356588b27a7e5fe4710ad
SHA512

8f5c85c41d45381045d91def651d00639f0bdc3c86174fcf4e4d7ff1e1a9b872eb7001feb202000fec7047169ccb822e4d977b149c89f249b0dda127074b7511

Score

10^/10

Family

azorult

http://188.32.97.44/twitch/fk32nOPxf/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral2/memory/4568-132-0x0000000000400000-0x0000000000B79000-memory.dmp	upx
behavioral2/memory/4568-136-0x0000000000400000-0x0000000000B79000-memory.dmp	upx
behavioral2/memory/4568-138-0x0000000000400000-0x0000000000B79000-memory.dmp	upx
behavioral2/memory/4568-139-0x0000000000400000-0x0000000000B79000-memory.dmp	upx
behavioral2/memory/4568-141-0x0000000000400000-0x0000000000B79000-memory.dmp	upx
behavioral2/memory/4568-143-0x0000000000400000-0x0000000000B79000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegAsm.exe

pid process

4568 RegAsm.exe
4568 RegAsm.exe
4568 RegAsm.exe
4568 RegAsm.exe
4568 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2208 set thread context of 4568 2208 powershell.exe RegAsm.exe

description	pid	process	target process
PID 2208 set thread context of 4568	2208	powershell.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeRegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2208 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2208	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2208 wrote to memory of 4428	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4428	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4428	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4380	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4380	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4380	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 5012	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 5012	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 5012	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe
PID 2208 wrote to memory of 4568	2208	powershell.exe	RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5012

memory/2208-130-0x000002021EFC0000-0x000002021EFE2000-memory.dmp

Filesize
136KB

Download
memory/2208-131-0x00007FFF3B440000-0x00007FFF3BF01000-memory.dmp

Filesize
10.8MB

Download
memory/2208-135-0x00007FFF3B440000-0x00007FFF3BF01000-memory.dmp

Filesize
10.8MB

Download
memory/4568-132-0x0000000000400000-0x0000000000B79000-memory.dmp

Filesize
7.5MB

Download
memory/4568-133-0x0000000000B76D48-mapping.dmp

Download
memory/4568-136-0x0000000000400000-0x0000000000B79000-memory.dmp

Filesize
7.5MB

Download
memory/4568-138-0x0000000000400000-0x0000000000B79000-memory.dmp

Filesize
7.5MB

Download
memory/4568-139-0x0000000000400000-0x0000000000B79000-memory.dmp

Filesize
7.5MB

Download
memory/4568-140-0x000000007FA50000-0x000000007FE21000-memory.dmp

Filesize
3.8MB

Download
memory/4568-141-0x0000000000400000-0x0000000000B79000-memory.dmp

Filesize
7.5MB

Download
memory/4568-142-0x000000007FA50000-0x000000007FE21000-memory.dmp

Filesize
3.8MB

Download
memory/4568-143-0x0000000000400000-0x0000000000B79000-memory.dmp

Filesize
7.5MB

Download