azorult | dcc410a5a4caecdc8ff2d863df50fae3adec46f391b50705e2f4ee59235d7af3

Analysis

max time kernel
373s
max time network
414s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RfQ urgente_AP65425652_032421.exe
Size

426KB
MD5

41f1ae227bcf937eb3503819f5fbeebd
SHA1

c73f5ec3b1fdc30867763f413e0646a53f5d7503
SHA256

dcc410a5a4caecdc8ff2d863df50fae3adec46f391b50705e2f4ee59235d7af3
SHA512

b065fc4f56fdf388231a3b8e23e60ca15371c0a775aef90608e5dc419a46b1a2041c1e56bd1bf568bc3ff4623a8316d2bc1f590e55c78e72568f63f4d087b4eb
SSDEEP

6144:ATouKrWBEu3/Z2lpGDHU3ykJkUDmC/21qnbaItq+1mxwYeqgmaf:AToPWBv/cpGrU3yFUiG2MzBSwx

Score

10^/10

azorult infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 1 IoCs

Processes:

btgwc.exe

pid process

1752 btgwc.exe

pid	process
1752	btgwc.exe

Loads dropped DLL 12 IoCs

Processes:

RfQ urgente_AP65425652_032421.exebtgwc.exebtgwc.exeWerFault.exe

pid	process
1712	RfQ urgente_AP65425652_032421.exe
1712	RfQ urgente_AP65425652_032421.exe
1712	RfQ urgente_AP65425652_032421.exe
1712	RfQ urgente_AP65425652_032421.exe
1712	RfQ urgente_AP65425652_032421.exe
1752	btgwc.exe
2028	btgwc.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe
336	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

btgwc.exe

description pid process target process

PID 1752 set thread context of 2028 1752 btgwc.exe btgwc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

336 1752 WerFault.exe btgwc.exe

description	pid	process	target process
PID 1752 set thread context of 2028	1752	btgwc.exe	btgwc.exe

pid	pid_target	process	target process
336	1752	WerFault.exe	btgwc.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

RfQ urgente_AP65425652_032421.exebtgwc.exe

description	pid	process	target process
PID 1712 wrote to memory of 1752	1712	RfQ urgente_AP65425652_032421.exe	btgwc.exe
PID 1712 wrote to memory of 1752	1712	RfQ urgente_AP65425652_032421.exe	btgwc.exe
PID 1712 wrote to memory of 1752	1712	RfQ urgente_AP65425652_032421.exe	btgwc.exe
PID 1712 wrote to memory of 1752	1712	RfQ urgente_AP65425652_032421.exe	btgwc.exe
PID 1752 wrote to memory of 2028	1752	btgwc.exe	btgwc.exe
PID 1752 wrote to memory of 2028	1752	btgwc.exe	btgwc.exe
PID 1752 wrote to memory of 2028	1752	btgwc.exe	btgwc.exe
PID 1752 wrote to memory of 2028	1752	btgwc.exe	btgwc.exe
PID 1752 wrote to memory of 2028	1752	btgwc.exe	btgwc.exe
PID 1752 wrote to memory of 336	1752	btgwc.exe	WerFault.exe
PID 1752 wrote to memory of 336	1752	btgwc.exe	WerFault.exe
PID 1752 wrote to memory of 336	1752	btgwc.exe	WerFault.exe
PID 1752 wrote to memory of 336	1752	btgwc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RfQ urgente_AP65425652_032421.exe
"C:\Users\Admin\AppData\Local\Temp\RfQ urgente_AP65425652_032421.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\btgwc.exe
"C:\Users\Admin\AppData\Local\Temp\btgwc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\btgwc.exe
"C:\Users\Admin\AppData\Local\Temp\btgwc.exe"
3⤵
- Loads dropped DLL
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 192
3⤵
- Loads dropped DLL
- Program crash
PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\iduqnmxlqz.agd
Filesize
112KB

MD5
b38a944979745d6f219bc27f8f18c386

SHA1
4dbc863add82130fa78bb6b713c5da57a636502b

SHA256
25d502a904053b724bf0fd456900311c4c5e186c645b4127698e41ac133fdc02

SHA512
3483486e75c871ce6b79f09492d8772839e82bf602fe4a69d8f4a8e9913de8e404fc9cc70425f1e277572fe47c4b7ec6a873cf2e6a430ec234a1e0c82ac09a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\latjgmqbzpm.v
Filesize
4KB

MD5
984564f070f9bc6d12afa48496da12df

SHA1
ee02702166ba94915454401b8905ad10b31f511c

SHA256
1d751e623004c3243bd2fb6d5cecf57fc78ad0de6ebff4a83491214b4644b692

SHA512
8013cb62eb14dbe7c2074f983354d414a3ac9b2979e053e56dd0a45507d6e6d0132ddde24fd27e1db5417342f302e16329d1e5b4f52facbbf71fbd39dd814784

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
\Users\Admin\AppData\Local\Temp\btgwc.exe
Filesize
56KB

MD5
890373d650ed8dd50c9ec3c3810a6735

SHA1
d6cfc285dc0ffc79dc2297c9fe6a133edd9ac55c

SHA256
14953d1be722e35f5d401fcb29482d3530ea9d977b4d159ab005b3cb2bf06a3c

SHA512
3330026dc17706f9e9410bd8b92efe7ee7ecf5b3f1cf6a5981aff006bba6efec0ec7c4f7d9c387938f044e2fb603459c9389ad447c8bdedf4fcdbe8d2a9e8478

Download Submit
memory/336-69-0x0000000000000000-mapping.dmp

Download
memory/1712-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1752-60-0x0000000000000000-mapping.dmp

Download
memory/2028-67-0x000000000041A684-mapping.dmp

Download