azorult | 35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50

Analysis

max time kernel
121s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Подтверждение оплаты.exe
Size

183KB
MD5

f99952ddfded19b9ee7c0fd893bc67c3
SHA1

68674af1e9ca690a3e2f2c693b2b1b8601a86aa9
SHA256

35f51638db79fc84e255ab2062e9bd239faf523ff161cbcc613159d4db8a5a50
SHA512

759b8956572877261e4676485e1a498227e07b796924e323cdfb0d7c7f5a9f779d5f4528b8006348b7f6302fecbf9683dbe6159163b90b85ee3b0b178d7eac8d
SSDEEP

3072:GfY/TU9fE9PEtuMTSkvV0bM6/vS1RrSs3HT+1ze/8kP6uVeYxqJwTT7AbLPNZgVK:wYa60BAnSHrJy6RAJwTaYVK

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://85.31.45.29/office/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

jfzyw.exejfzyw.exe

pid process

1816 jfzyw.exe
676 jfzyw.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jfzyw.exe

description pid process target process

PID 1816 set thread context of 676 1816 jfzyw.exe jfzyw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

jfzyw.exe

pid process

1816 jfzyw.exe

pid	process
1816	jfzyw.exe
676	jfzyw.exe

description	pid	process	target process
PID 1816 set thread context of 676	1816	jfzyw.exe	jfzyw.exe

pid	process
1816	jfzyw.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Подтверждение оплаты.exejfzyw.exe

description	pid	process	target process
PID 4900 wrote to memory of 1816	4900	Подтверждение оплаты.exe	jfzyw.exe
PID 4900 wrote to memory of 1816	4900	Подтверждение оплаты.exe	jfzyw.exe
PID 4900 wrote to memory of 1816	4900	Подтверждение оплаты.exe	jfzyw.exe
PID 1816 wrote to memory of 676	1816	jfzyw.exe	jfzyw.exe
PID 1816 wrote to memory of 676	1816	jfzyw.exe	jfzyw.exe
PID 1816 wrote to memory of 676	1816	jfzyw.exe	jfzyw.exe
PID 1816 wrote to memory of 676	1816	jfzyw.exe	jfzyw.exe

C:\Users\Admin\AppData\Local\Temp\Подтверждение оплаты.exe
"C:\Users\Admin\AppData\Local\Temp\Подтверждение оплаты.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Admin\AppData\Local\Temp\jfzyw.exe
"C:\Users\Admin\AppData\Local\Temp\jfzyw.exe" C:\Users\Admin\AppData\Local\Temp\efgylqxlyw.k
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\jfzyw.exe
"C:\Users\Admin\AppData\Local\Temp\jfzyw.exe"
3⤵
- Executes dropped EXE
PID:676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\efgylqxlyw.k
Filesize
5KB

MD5
ff1412be3f6dbfbbdcc65e17c619a8cc

SHA1
db58131c09eb548c3d317ab46975d28e414e8e68

SHA256
89894df471a72ecc008d3764d46acd9955fb55ddb0db6674ec037fdb134823a7

SHA512
4ee69782b6e0aa92ed96fb3c96fe7586a96fb80d6891cddcc6407a91bdb78229c7f0826715db37ff3f8995373c06aeb7e980bdcfc2f0a313cf646d2bfc603508

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfzyw.exe
Filesize
8KB

MD5
90bfe50257437f0a580ec7077dfa8555

SHA1
712735363da21a29025f4bab8ab2865fef609968

SHA256
3346a27bd201cb33b49ea9f769f003ec8126b46a299aae4c4b096682f2f675e9

SHA512
8ffe679945dd259db8a272047914dfbf813aa9e8323f454ead94aabbadaadaaa2b3fd316eee37e84910dd490a8ba3e792259165bfaea391ac7d3d6c6c448e603

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfzyw.exe
Filesize
8KB

MD5
90bfe50257437f0a580ec7077dfa8555

SHA1
712735363da21a29025f4bab8ab2865fef609968

SHA256
3346a27bd201cb33b49ea9f769f003ec8126b46a299aae4c4b096682f2f675e9

SHA512
8ffe679945dd259db8a272047914dfbf813aa9e8323f454ead94aabbadaadaaa2b3fd316eee37e84910dd490a8ba3e792259165bfaea391ac7d3d6c6c448e603

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfzyw.exe
Filesize
8KB

MD5
90bfe50257437f0a580ec7077dfa8555

SHA1
712735363da21a29025f4bab8ab2865fef609968

SHA256
3346a27bd201cb33b49ea9f769f003ec8126b46a299aae4c4b096682f2f675e9

SHA512
8ffe679945dd259db8a272047914dfbf813aa9e8323f454ead94aabbadaadaaa2b3fd316eee37e84910dd490a8ba3e792259165bfaea391ac7d3d6c6c448e603

Download Submit
C:\Users\Admin\AppData\Local\Temp\qfnfsac.vl
Filesize
132KB

MD5
a0a683ed99da1122981071a32f132ff8

SHA1
f585ce727e0a8ddca66d68fc7ca506b4c59faabd

SHA256
6d4fda9fd0da10b893eb5a9c18b702b97c58e098191e21b7ce45b4255cd9613d

SHA512
b7caecdfc4f96d4beeca23eae49439706ee830130d4a847eb10c3242c7c731fd7f4cea20ac14b4d36997519e126becb61aa479d6a5d4242d9cc50232973eb7b4

Download Submit
memory/676-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/676-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/676-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/676-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download