azorult | f4a373fc450be3031cd58ed55a1a1e3357851bc25a63c16f0804ea035d3b881d

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2022 07:46

Target

DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe
Size

27KB
MD5

4dc3ea5a5834d3dfdb1e539d639bbd40
SHA1

adb17342c8af9f6dfca3506ac9da9da886b81d88
SHA256

f4a373fc450be3031cd58ed55a1a1e3357851bc25a63c16f0804ea035d3b881d
SHA512

1e1c0efdde9aba9b7472d92fdc2f95ea4b4beaec517737d98377b19dcdd2d992040ca32a9c0eea4a5d367040ea9e0acbd3b66a2d582e24d5100a725c84f593e7
SSDEEP

384:xXqVQvSX3Ui4EGtI1g4+vU81Q5eBZAvmy8ZpHzGovUJAYkAYMjZB:wHXkTnlxUGQ5S+v7iRPPRMNB

Score

10^/10

Family

azorult

http://141.98.6.75/dike/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe

description pid process target process

PID 4752 set thread context of 4604 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe Caspol.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe

description pid process

Token: SeDebugPrivilege 4752 DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe

description	pid	process	target process
PID 4752 set thread context of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe

description	pid	process
Token: SeDebugPrivilege	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe

description	pid	process	target process
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe
PID 4752 wrote to memory of 4604	4752	DHL EXPRESS LEVERINGSBERICHT VOOR,pdf.exe	Caspol.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
2⤵
PID:4604

memory/4604-133-0x0000000000000000-mapping.dmp

Download
memory/4604-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4604-136-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4604-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4752-132-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download