General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Stealer/Azorult.exe
-
Sample
230528-dgs8hsed8x
Malware Config
Extracted
azorult
http://boglogov.site/index.php
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Stealer/Azorult.exe
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Modifies Windows Defender Real-time Protection settings
-
Modifies visiblity of hidden/system files in Explorer
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass
-
Windows security bypass
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
3Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task
1