Malware Analysis Report

2025-04-13 20:35

Sample ID 230914-vp9nxagc29
Target 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe
SHA256 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597
Tags
azorult infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597

Threat Level: Known bad

The file 6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe was found to be: Known bad.

Malicious Activity Summary

azorult infostealer trojan

Azorult

Checks QEMU agent file

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-14 17:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 17:11

Reported

2023-09-14 17:13

Platform

win7-20230831-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\eviler.sst C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe

"C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 544

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nst58FB.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nst58FB.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

\Users\Admin\AppData\Local\Temp\nst58FB.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 17:11

Reported

2023-09-14 17:13

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"

Signatures

Azorult

trojan infostealer azorult

Checks QEMU agent file

Description Indicator Process Target
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe N/A
File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\0409\eviler.sst C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe N/A

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe

"C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"

C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe

"C:\Users\Admin\AppData\Local\Temp\6b84c9e16c1ef41bbb3b00b48248cbf0745f0435a7e152cb8176900545d5c597_JC.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 zmarszczki-nakatne.net.pl udp
PL 185.135.90.183:443 zmarszczki-nakatne.net.pl tcp
US 8.8.8.8:53 183.90.135.185.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 146.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 dw4b.shop udp
US 104.21.49.2:80 dw4b.shop tcp
US 8.8.8.8:53 2.49.21.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\System.dll

MD5 6e55a6e7c3fdbd244042eb15cb1ec739
SHA1 070ea80e2192abc42f358d47b276990b5fa285a9
SHA256 acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA512 2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

C:\Users\Admin\AppData\Local\Temp\nsq6DC0.tmp\nsExec.dll

MD5 ec9c99216ef11cdd85965e78bc797d2c
SHA1 1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c
SHA256 c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df
SHA512 35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

memory/4264-30-0x0000000076EA1000-0x0000000076FC1000-memory.dmp

memory/4264-31-0x0000000076EA1000-0x0000000076FC1000-memory.dmp

memory/4264-32-0x0000000073AF0000-0x0000000073AF7000-memory.dmp

memory/3352-33-0x0000000076F28000-0x0000000076F29000-memory.dmp

memory/3352-34-0x0000000076F45000-0x0000000076F46000-memory.dmp

memory/3352-41-0x00000000725F0000-0x0000000073844000-memory.dmp

memory/3352-42-0x00000000004A0000-0x0000000004466000-memory.dmp

memory/3352-43-0x0000000000060000-0x0000000000087000-memory.dmp

memory/3352-44-0x00000000004A0000-0x0000000004466000-memory.dmp

memory/3352-45-0x00000000725F0000-0x0000000073844000-memory.dmp

memory/3352-47-0x0000000076EA1000-0x0000000076FC1000-memory.dmp