azorult | bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c

Analysis

max time kernel
57s
max time network
60s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
15-10-2022 07:23

Target

QUOTATIONS10102022.exe
Size

882KB
MD5

c81bfa6fceb066edf7ed02789826d026
SHA1

9658d34de7857cc57eb7c9dd9a31386f23b62133
SHA256

bb42af5051697b32214e007c7258386cfef013e0b14392e1b48a623d5106104c
SHA512

0474c8ca862a91949b36a7f2e7f04073cfdf1bd70f3b7ea22c42c3a894cee8ae00ac5b7c27e995ece8ac95d33e25dabfd51e09a990819a4ad6c53d74b7acf421
SSDEEP

12288:kTQO2iNFJ2uAV3O64+NDUqrIWeFIbCzuHg6VklrhT4FW9G7s:6D1Y1OP+NKxzuHNklrSW9Cs

Score

10^/10

Family

azorult

http://spursg.shop/spursg/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

QUOTATIONS10102022.exe

description pid process target process

PID 1708 set thread context of 2012 1708 QUOTATIONS10102022.exe QUOTATIONS10102022.exe

description	pid	process	target process
PID 1708 set thread context of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

QUOTATIONS10102022.exe

description	pid	process	target process
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe
PID 1708 wrote to memory of 2012	1708	QUOTATIONS10102022.exe	QUOTATIONS10102022.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATIONS10102022.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIONS10102022.exe"
2⤵
PID:2012

memory/1708-54-0x00000000009B0000-0x0000000000A92000-memory.dmp

Filesize
904KB

Download
memory/1708-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1708-56-0x0000000001EA0000-0x0000000001EB8000-memory.dmp

Filesize
96KB

Download
memory/1708-57-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/1708-58-0x0000000005C50000-0x0000000005CCC000-memory.dmp

Filesize
496KB

Download
memory/1708-59-0x0000000004660000-0x0000000004682000-memory.dmp

Filesize
136KB

Download
memory/2012-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-64-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-68-0x000000000041A684-mapping.dmp

Download
memory/2012-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2012-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download