azorult | 39e6d545b0b364c48e17f2482f4b98d1bc5d7c6513e95264316f8af2b040192d

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order and specifications.exe
Size

182KB
MD5

1c5728b4ff35c20147c2172c529f59cf
SHA1

a31251c8770019b5a2123237c3d5f68656157419
SHA256

39e6d545b0b364c48e17f2482f4b98d1bc5d7c6513e95264316f8af2b040192d
SHA512

15788983bf99108bfc47cd99ab1cde967d7b542f8dd682d817401eb1af91a8685b099506f11c178b5d161bd4313ca1284f15a8db86422db6cc037d420ac3affe
SSDEEP

3072:GfY/TU9fE9PEtuYTSkvVNbGPRS7o1WvMR7qfMinLn4UHvV75tfiAM5jwYm9k/oyU:wYa6IBrGPp1WkQfMincUHvJLt5Bk/T/c

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://85.31.45.29/goddid/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

tzafvvv.exetzafvvv.exetzafvvv.exe

pid process

1704 tzafvvv.exe
1368 tzafvvv.exe
1692 tzafvvv.exe
Loads dropped DLL 4 IoCs

Processes:

Order and specifications.exetzafvvv.exe

pid process

1232 Order and specifications.exe
1232 Order and specifications.exe
1704 tzafvvv.exe
1704 tzafvvv.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

tzafvvv.exe

description pid process target process

PID 1704 set thread context of 1692 1704 tzafvvv.exe tzafvvv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

tzafvvv.exe

pid process

1704 tzafvvv.exe
1704 tzafvvv.exe

pid	process
1704	tzafvvv.exe
1368	tzafvvv.exe
1692	tzafvvv.exe

pid	process
1232	Order and specifications.exe
1232	Order and specifications.exe
1704	tzafvvv.exe
1704	tzafvvv.exe

description	pid	process	target process
PID 1704 set thread context of 1692	1704	tzafvvv.exe	tzafvvv.exe

pid	process
1704	tzafvvv.exe
1704	tzafvvv.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

Order and specifications.exetzafvvv.exe

description	pid	process	target process
PID 1232 wrote to memory of 1704	1232	Order and specifications.exe	tzafvvv.exe
PID 1232 wrote to memory of 1704	1232	Order and specifications.exe	tzafvvv.exe
PID 1232 wrote to memory of 1704	1232	Order and specifications.exe	tzafvvv.exe
PID 1232 wrote to memory of 1704	1232	Order and specifications.exe	tzafvvv.exe
PID 1704 wrote to memory of 1368	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1368	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1368	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1368	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1692	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1692	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1692	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1692	1704	tzafvvv.exe	tzafvvv.exe
PID 1704 wrote to memory of 1692	1704	tzafvvv.exe	tzafvvv.exe

C:\Users\Admin\AppData\Local\Temp\Order and specifications.exe
"C:\Users\Admin\AppData\Local\Temp\Order and specifications.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
"C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe" C:\Users\Admin\AppData\Local\Temp\tvyzunbytua.g
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
"C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe"
3⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
"C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe"
3⤵
- Executes dropped EXE
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lrfgmgbu.tbd
Filesize
132KB

MD5
6793cef44526107c7da7c19aca0a1b49

SHA1
e875cf334e8b400d72920080b167c28e97c70f72

SHA256
c0c45d1d2596e618f696ea6487684aec06cba4c1fa9bec94554b404fc801961e

SHA512
ee818d0cfa2bb6615bd441df222d312da78c37a0bdfaa5593cd22b807453cbbd18777f2a4064694856a1fd6e65080792e2de81fe673c9fa1f3dfcebad367f965

Download Submit
C:\Users\Admin\AppData\Local\Temp\tvyzunbytua.g
Filesize
5KB

MD5
4e9458e485d0f9c70986fdcc7bf790f2

SHA1
de62032e6286d0e28f4f6129c3eab9e78bbd5048

SHA256
0664ffe0c9291d3b1478e31f3496fb762cfb760380a90679a9a944f199a530d8

SHA512
a5afedf9489e028fcdcb356e44dd7159b69c1282d92178ea175e85a8cdf25eca6416c62444d2c0e6d554d34dd52ad7212e9ec0723e10a323174eb67c19a70741

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
\Users\Admin\AppData\Local\Temp\tzafvvv.exe
Filesize
5KB

MD5
36d56953c98a4b6a7cee29196348670f

SHA1
ffba2d929140ce1d958f3969d304fcdd0ee9dfaa

SHA256
49b28ac31bb63eebecd5a7d793684d63b2bda4b71d8ed1393b927ad43f2e5a6c

SHA512
a927f33438f4e1b1af6da9babbaa5a448e10d4587064de1a86ab0afc2b2902b36aff9890a5870b43fd3a71c4f14cc3f871b18cf644e17bf5cadc0aa3506a93c6

Download Submit
memory/1692-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1692-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1692-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1692-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download