azorult | eb165382dbcc999a719a7f61a2c23b823eb2d89fc7648330065983586dc9a869

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-09-2022 08:06

Target

Order R04-T4077 TBA-2022, pdf.exe
Size

186KB
MD5

c42bff2b027d01641cac47b363eaef63
SHA1

deb49ead9c64f834db57f7a5704321a7e684346e
SHA256

eb165382dbcc999a719a7f61a2c23b823eb2d89fc7648330065983586dc9a869
SHA512

591fea6ef966b327cca92fdbd13f7ac3de9740827774660dc7c758989765a6b6a81fffd3863c74b10550ab14ff3cc2a075b54c67061d86e08c2e1d9d871aa86b
SSDEEP

3072:yjFa0SeOyAVq3Vlfv+ZODb4941BVrJsQqe+/UajFVpCxBVOzyVjq:ASyAVEVGqkS1hsQqe+/xrI

Score

10^/10

Family

azorult

http://bl3ds2.shop/PL341/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

Order R04-T4077 TBA-2022, pdf.exe

description pid process target process

PID 1836 set thread context of 960 1836 Order R04-T4077 TBA-2022, pdf.exe cvtres.exe

description	pid	process	target process
PID 1836 set thread context of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Order R04-T4077 TBA-2022, pdf.exe

description	pid	process	target process
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe
PID 1836 wrote to memory of 960	1836	Order R04-T4077 TBA-2022, pdf.exe	cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
2⤵
PID:960

memory/960-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-70-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/960-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-67-0x000000000041A684-mapping.dmp

Download
memory/960-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/960-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1836-58-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/1836-54-0x0000000000D10000-0x0000000000D40000-memory.dmp

Filesize
192KB

Download
memory/1836-55-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/1836-57-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/1836-56-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download