azorult | 23aea1c371420be7d6119b55d5584b590180bfe7c72666f44578d3ae589a7cb5

General

Target

NLBrute 1.2 Crack x64/NLB_Licenz/NLB_Licenz/NLBrute 1.2 x64 & VPN - KeyGen.exe
Size

9.7MB
MD5

1b5675c93a01b5086a60aa3856a4e4f8
SHA1

4147f00569cb6dbcc2e7787663bcefb4b30243e2
SHA256

1db16882d923db80879a7d8d3fa724414e043b91ab160608c99a11df0651280f
SHA512

1ba9903c1d8ca5073abc94301286e71b3126252eb9e77c0b692c042aecd23977d1ff90ee2e203bcba090ffc12cd4fab00d406d998da288ecc64c5f60c708211a
SSDEEP

196608:7CKGs7lPGbFRoaNhBv5IFNW0Y0G6zZ7UAuAxid8Om6:eopoucRiK0Yq73xgP

Score

10^/10

azorult infostealer trojan vmprotect

Malware Config

Extracted

Family

azorult

C2

http://updateinstall.xyz/6616a.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

gazcrypt.vmp.exeNLBrute 1.2 x64 & VPN - KeyGen.exe

pid process

3564 gazcrypt.vmp.exe
460 NLBrute 1.2 x64 & VPN - KeyGen.exe

pid	process
3564	gazcrypt.vmp.exe
460	NLBrute 1.2 x64 & VPN - KeyGen.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\autBCFC.tmp	vmprotect
C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe	vmprotect
behavioral1/memory/3564-159-0x0000000000130000-0x0000000000C59000-memory.dmp	vmprotect

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/3564-159-0x0000000000130000-0x0000000000C59000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

gazcrypt.vmp.exeNLBrute 1.2 x64 & VPN - KeyGen.exe

pid process

3564 gazcrypt.vmp.exe
460 NLBrute 1.2 x64 & VPN - KeyGen.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

gazcrypt.vmp.exe

description pid process target process

PID 3564 set thread context of 1104 3564 gazcrypt.vmp.exe WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3564	gazcrypt.vmp.exe
460	NLBrute 1.2 x64 & VPN - KeyGen.exe

description	pid	process	target process
PID 3564 set thread context of 1104	3564	gazcrypt.vmp.exe	WerFault.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

NLBrute 1.2 x64 & VPN - KeyGen.exegazcrypt.vmp.exe

pid	process
460	NLBrute 1.2 x64 & VPN - KeyGen.exe
460	NLBrute 1.2 x64 & VPN - KeyGen.exe
3564	gazcrypt.vmp.exe
3564	gazcrypt.vmp.exe
3564	gazcrypt.vmp.exe
3564	gazcrypt.vmp.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

gazcrypt.vmp.exe

pid process

3564 gazcrypt.vmp.exe
3564 gazcrypt.vmp.exe
3564 gazcrypt.vmp.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

gazcrypt.vmp.exe

pid process

3564 gazcrypt.vmp.exe
3564 gazcrypt.vmp.exe
3564 gazcrypt.vmp.exe

pid	process
3564	gazcrypt.vmp.exe
3564	gazcrypt.vmp.exe
3564	gazcrypt.vmp.exe

pid	process
3564	gazcrypt.vmp.exe
3564	gazcrypt.vmp.exe
3564	gazcrypt.vmp.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

NLBrute 1.2 x64 & VPN - KeyGen.exegazcrypt.vmp.exe

description	pid	process	target process
PID 3272 wrote to memory of 3564	3272	NLBrute 1.2 x64 & VPN - KeyGen.exe	gazcrypt.vmp.exe
PID 3272 wrote to memory of 3564	3272	NLBrute 1.2 x64 & VPN - KeyGen.exe	gazcrypt.vmp.exe
PID 3272 wrote to memory of 3564	3272	NLBrute 1.2 x64 & VPN - KeyGen.exe	gazcrypt.vmp.exe
PID 3272 wrote to memory of 460	3272	NLBrute 1.2 x64 & VPN - KeyGen.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
PID 3272 wrote to memory of 460	3272	NLBrute 1.2 x64 & VPN - KeyGen.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
PID 3272 wrote to memory of 460	3272	NLBrute 1.2 x64 & VPN - KeyGen.exe	NLBrute 1.2 x64 & VPN - KeyGen.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe
PID 3564 wrote to memory of 1104	3564	gazcrypt.vmp.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\NLBrute 1.2 Crack x64\NLB_Licenz\NLB_Licenz\NLBrute 1.2 x64 & VPN - KeyGen.exe
"C:\Users\Admin\AppData\Local\Temp\NLBrute 1.2 Crack x64\NLB_Licenz\NLB_Licenz\NLBrute 1.2 x64 & VPN - KeyGen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3272

C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe
"C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:1104

C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exe
"C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autBCFC.tmp
Filesize
6.4MB

MD5
b1650cdb13624dba5987826fd2d392b9

SHA1
62bec6f5d788addd2c283eb797cc4ed238922d48

SHA256
e7a38781ced5e8b231088febeaff2d727d6dfc510e793b5709d205202db1d51d

SHA512
c6f6002be7ad8f52aa4853396f0e0a72c24dd788706ba0021cfbd9dd7e6b47aeef721fcc1887fb471ed2c908d01a10476c530f599596dfb9742630af9b8c758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\autD13F.tmp
Filesize
108KB

MD5
fbf51fdf1bca703c86d1c33e579d3ea6

SHA1
62e1920158012842cfde52e12554a11a924a60ca

SHA256
b9ce3c6fbb683c935bbb67f0f94e9721dafe8508a74a9383690fefcea35be424

SHA512
f874b52e1bdd06f6e15fac27b278765331328f3b86064cd2607a7ec0c22e88896ef5475e5336b4091845607a03e23404ba18834f039cb7ac8417e99346d08830

Download Submit
C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exe
Filesize
2.5MB

MD5
62b039b2af7bf5f6abf35ef903024300

SHA1
4ae220e451482e839619c2e927752468e0eda8d5

SHA256
83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5

SHA512
8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e

Download Submit
C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exe
Filesize
2.5MB

MD5
62b039b2af7bf5f6abf35ef903024300

SHA1
4ae220e451482e839619c2e927752468e0eda8d5

SHA256
83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5

SHA512
8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e

Download Submit
C:\Users\Admin\AppData\Roaming\Z83687757\NLBrute 1.2 x64 & VPN - KeyGen.exe
Filesize
2.5MB

MD5
62b039b2af7bf5f6abf35ef903024300

SHA1
4ae220e451482e839619c2e927752468e0eda8d5

SHA256
83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5

SHA512
8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e

Download Submit
C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe
Filesize
6.4MB

MD5
b1650cdb13624dba5987826fd2d392b9

SHA1
62bec6f5d788addd2c283eb797cc4ed238922d48

SHA256
e7a38781ced5e8b231088febeaff2d727d6dfc510e793b5709d205202db1d51d

SHA512
c6f6002be7ad8f52aa4853396f0e0a72c24dd788706ba0021cfbd9dd7e6b47aeef721fcc1887fb471ed2c908d01a10476c530f599596dfb9742630af9b8c758f

Download Submit
C:\Users\Admin\AppData\Roaming\Z83687757\gazcrypt.vmp.exe
Filesize
6.4MB

MD5
b1650cdb13624dba5987826fd2d392b9

SHA1
62bec6f5d788addd2c283eb797cc4ed238922d48

SHA256
e7a38781ced5e8b231088febeaff2d727d6dfc510e793b5709d205202db1d51d

SHA512
c6f6002be7ad8f52aa4853396f0e0a72c24dd788706ba0021cfbd9dd7e6b47aeef721fcc1887fb471ed2c908d01a10476c530f599596dfb9742630af9b8c758f

Download Submit
memory/460-167-0x0000000003710000-0x00000000037E6000-memory.dmp

Filesize
856KB

Download
memory/460-144-0x0000000077F60000-0x0000000077F61000-memory.dmp

Filesize
4KB

Download
memory/460-143-0x0000000003C90000-0x0000000003DA2000-memory.dmp

Filesize
1.1MB

Download
memory/460-141-0x0000000000400000-0x0000000001B3C000-memory.dmp

Filesize
23.2MB

Download
memory/460-160-0x0000000003710000-0x00000000037E6000-memory.dmp

Filesize
856KB

Download
memory/460-165-0x0000000003710000-0x00000000037E6000-memory.dmp

Filesize
856KB

Download
memory/460-155-0x0000000003C90000-0x0000000003DA2000-memory.dmp

Filesize
1.1MB

Download
memory/460-157-0x0000000003C90000-0x0000000003DA2000-memory.dmp

Filesize
1.1MB

Download
memory/1104-177-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1104-176-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3564-153-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/3564-156-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download
memory/3564-158-0x0000000001510000-0x0000000001511000-memory.dmp

Filesize
4KB

Download
memory/3564-159-0x0000000000130000-0x0000000000C59000-memory.dmp

Filesize
11.2MB

Download
memory/3564-154-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/3564-150-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/3564-145-0x0000000001480000-0x0000000001481000-memory.dmp

Filesize
4KB

Download
memory/3564-148-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/3564-147-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads