azorult | 2a3b9417a90179a848e9dd0cb628bc88042d284505901f092aa77a360c09e405

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baf9ca75d335e33b6bc63ffe2f7149d9.exe
Size

205KB
MD5

baf9ca75d335e33b6bc63ffe2f7149d9
SHA1

3e4c29a668ab5db7a2e3fc3ed0d7cce90cd3111c
SHA256

2a3b9417a90179a848e9dd0cb628bc88042d284505901f092aa77a360c09e405
SHA512

d19c94cef3e5c5afe23b4336d05bb1195d9bd1f6bbe3d541b352d6dd19b1b3162b87c2ecfac70d35612689da23beb83f58c0c9befc9be275e8778b4a9e876b2a
SSDEEP

3072:2fY/TU9fE9PEtu4TSkvVcbloANFF8WA1LBLoNFhqdxG3ZIPFpVDCWh8Y6N3+j5jX:gYa6oBAloAipdoj1pYxedG56bb6RT

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://85.31.45.29/Godblessings/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

irgmnnaq.exeirgmnnaq.exe

pid process

3816 irgmnnaq.exe
4272 irgmnnaq.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

irgmnnaq.exe

description pid process target process

PID 3816 set thread context of 4272 3816 irgmnnaq.exe irgmnnaq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

irgmnnaq.exe

pid process

3816 irgmnnaq.exe

pid	process
3816	irgmnnaq.exe
4272	irgmnnaq.exe

description	pid	process	target process
PID 3816 set thread context of 4272	3816	irgmnnaq.exe	irgmnnaq.exe

pid	process
3816	irgmnnaq.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

baf9ca75d335e33b6bc63ffe2f7149d9.exeirgmnnaq.exe

description	pid	process	target process
PID 2980 wrote to memory of 3816	2980	baf9ca75d335e33b6bc63ffe2f7149d9.exe	irgmnnaq.exe
PID 2980 wrote to memory of 3816	2980	baf9ca75d335e33b6bc63ffe2f7149d9.exe	irgmnnaq.exe
PID 2980 wrote to memory of 3816	2980	baf9ca75d335e33b6bc63ffe2f7149d9.exe	irgmnnaq.exe
PID 3816 wrote to memory of 4272	3816	irgmnnaq.exe	irgmnnaq.exe
PID 3816 wrote to memory of 4272	3816	irgmnnaq.exe	irgmnnaq.exe
PID 3816 wrote to memory of 4272	3816	irgmnnaq.exe	irgmnnaq.exe
PID 3816 wrote to memory of 4272	3816	irgmnnaq.exe	irgmnnaq.exe

C:\Users\Admin\AppData\Local\Temp\baf9ca75d335e33b6bc63ffe2f7149d9.exe
"C:\Users\Admin\AppData\Local\Temp\baf9ca75d335e33b6bc63ffe2f7149d9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\irgmnnaq.exe
"C:\Users\Admin\AppData\Local\Temp\irgmnnaq.exe" C:\Users\Admin\AppData\Local\Temp\pycahzrfmfx.jyx
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\irgmnnaq.exe
"C:\Users\Admin\AppData\Local\Temp\irgmnnaq.exe"
3⤵
- Executes dropped EXE
PID:4272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\irgmnnaq.exe
Filesize
54KB

MD5
44de72e22fe4533266cb2dd7cab7b040

SHA1
9f5985be824d840b740dcc281799fa62ccbebef0

SHA256
69cee00fd47dbf3bf3625734286d0f97a271d0a3021839e573db84aa7d223184

SHA512
a8ad803f870d2b4b92a873ccb627cc6b34720bed07abb8520bcd1737eda98fba6400d96436e368098a894e0ba188e276461245873e4659975d3888911c39c810

Download Submit
C:\Users\Admin\AppData\Local\Temp\irgmnnaq.exe
Filesize
54KB

MD5
44de72e22fe4533266cb2dd7cab7b040

SHA1
9f5985be824d840b740dcc281799fa62ccbebef0

SHA256
69cee00fd47dbf3bf3625734286d0f97a271d0a3021839e573db84aa7d223184

SHA512
a8ad803f870d2b4b92a873ccb627cc6b34720bed07abb8520bcd1737eda98fba6400d96436e368098a894e0ba188e276461245873e4659975d3888911c39c810

Download Submit
C:\Users\Admin\AppData\Local\Temp\irgmnnaq.exe
Filesize
54KB

MD5
44de72e22fe4533266cb2dd7cab7b040

SHA1
9f5985be824d840b740dcc281799fa62ccbebef0

SHA256
69cee00fd47dbf3bf3625734286d0f97a271d0a3021839e573db84aa7d223184

SHA512
a8ad803f870d2b4b92a873ccb627cc6b34720bed07abb8520bcd1737eda98fba6400d96436e368098a894e0ba188e276461245873e4659975d3888911c39c810

Download Submit
C:\Users\Admin\AppData\Local\Temp\pycahzrfmfx.jyx
Filesize
5KB

MD5
a9cbecd801740495a954c0de0096a5b0

SHA1
92c4f73f40a3f30908ce6fdea077fdfed01a7db3

SHA256
e530e49c92e3113a6293f080f4d8db973ce0016281d551526a2a775bfc3365ea

SHA512
66cd8f51dc0f42e0e307b394c6e848a77d083f65c8ef9695aa36a85fad4214dd9b61aa0b96bacc448b32e3804a192083ef59b8893f7583fc2b5f1ea5c818f88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlywtmy.tps
Filesize
132KB

MD5
97fd061fbbcdcf0c01dfd5cb2fbce1e0

SHA1
a74cc4212353506e2488be043ccf9fa062133644

SHA256
3cdb3b711ae1a2bfbac9370dae19638f60322189028b214c06dc6f3fbc428d87

SHA512
8323732fce0caf46919ecff6ee7456f7a54ed990177f88613264f4afedf4c0b01a9723da8dbc6f88552318e5603f21acd1b1155f725247f86ec997407cf69b3d

Download Submit
memory/3816-141-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/4272-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4272-145-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4272-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download