azorult | 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4

Resubmissions

19/03/2025, 20:13

250319-yzdk1a1yew 10

06/12/2023, 15:44

16/11/2023, 20:24

05/04/2023, 06:56

04/04/2023, 08:02

Analysis

max time kernel
107s
max time network
110s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 20:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

??????????? ??????????????.exe
Size

234KB
MD5

38d378ff52ea3dba53a07eee3ed769c7
SHA1

94181ebcbe353d496701681b6bd03e06c1c63751
SHA256

0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4
SHA512

ab096595c92f3bca5659b2156e3daed47f70dd8ab3ddff1506ff164a50fa4d15f2503776d43633056ebcb569255295f8f7af53a031f552da1a3f73d017c105cc
SSDEEP

6144:gYa6oBsctoZqfq4S4JV2p9wubvEjRTsObhUXLbPp:gYxcCZqHp2prEVs+C7F

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://141.98.6.162/office/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

pid	Process
2708	jjhluxw.exe
2392	jjhluxw.exe

Loads dropped DLL 2 IoCs

pid	Process
1756	___________ ______________.exe
2708	jjhluxw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 2392	2708	jjhluxw.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2720	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2720	vlc.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2708	jjhluxw.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe
2720	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2720	vlc.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2708	1756	___________ ______________.exe	28
PID 1756 wrote to memory of 2708	1756	___________ ______________.exe	28
PID 1756 wrote to memory of 2708	1756	___________ ______________.exe	28
PID 1756 wrote to memory of 2708	1756	___________ ______________.exe	28
PID 2708 wrote to memory of 2392	2708	jjhluxw.exe	29
PID 2708 wrote to memory of 2392	2708	jjhluxw.exe	29
PID 2708 wrote to memory of 2392	2708	jjhluxw.exe	29
PID 2708 wrote to memory of 2392	2708	jjhluxw.exe	29
PID 2708 wrote to memory of 2392	2708	jjhluxw.exe	29

C:\Users\Admin\AppData\Local\Temp\___________ ______________.exe
"C:\Users\Admin\AppData\Local\Temp\___________ ______________.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe
  "C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe" C:\Users\Admin\AppData\Local\Temp\izwmcwjt.yhc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe
    "C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe"
    3⤵
    - Executes dropped EXE
    PID:2392

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2580

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CopyPublish.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1292

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\izwmcwjt.yhc

Filesize
6KB

MD5
19e06b8c8c60c69e11228b250568400a

SHA1
7c49e0aca8637c2adf258f98b1e7e45bcefaef53

SHA256
fb8e5832ac5a98dd0ab1030628a559627279ae256593510b0fbc6da2a43f2ad8

SHA512
e67eaebb28cab7784446cc3fbbdfb8fa3c4229225e4abdff26091a65f8adf8a912414a0bedd4b0458594776814c14f0f9cf9f18c71e3d3a75bef70b2056a389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvgovin.j

Filesize
132KB

MD5
f495dbd405842d0cee36e9ff9d3be29e

SHA1
35e5f6e880f2069a94d7cfa8847040fb1bb0c8e9

SHA256
aa7ec70ab30285dcd735aa0c1feb12729c10198a4eb2ebcce50e3a1afca58da4

SHA512
44fd0a274c612094c150be66d4ab447d474f81900388fc8b1dbc9828a195bc43a05f6337132a1438612a6f329cc99880dba3c6eb997755e02713d877cc675e8c

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.em2720

Filesize
78B

MD5
ef0fbd23c7c036686ad1c76f87ed141b

SHA1
22bff10f841d744f6adb7529b6f9bf2511b86f20

SHA256
3636b43f375b5f6c2c6f342239e02a90b892ccf9d5717c9e6754780dcd9b1f18

SHA512
dfeeae02ac345c80db258ae7003b2e33da95cbf2035d9fcbe514ce8ba354bca2dd9977ccfe565743c82eb3c0b21d4a6a7112e138ca151e11cab3fe6ca262de84

Download Submit
\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
memory/1292-120-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2340-121-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2392-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-18-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2392-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2708-8-0x00000000000A0000-0x00000000000A2000-memory.dmp

Filesize
8KB

Download
memory/2720-60-0x000007FEF4920000-0x000007FEF4987000-memory.dmp

Filesize
412KB

Download
memory/2720-69-0x000007FEF4740000-0x000007FEF4752000-memory.dmp

Filesize
72KB

Download
memory/2720-34-0x000007FEF7090000-0x000007FEF70A7000-memory.dmp

Filesize
92KB

Download
memory/2720-31-0x000007FEF75C0000-0x000007FEF75D7000-memory.dmp

Filesize
92KB

Download
memory/2720-40-0x000007FEF6AE0000-0x000007FEF6AFD000-memory.dmp

Filesize
116KB

Download
memory/2720-35-0x000007FEF7070000-0x000007FEF7081000-memory.dmp

Filesize
68KB

Download
memory/2720-41-0x000007FEF6AC0000-0x000007FEF6AD1000-memory.dmp

Filesize
68KB

Download
memory/2720-42-0x000007FEF5AF0000-0x000007FEF5CF0000-memory.dmp

Filesize
2.0MB

Download
memory/2720-30-0x000007FEF7B60000-0x000007FEF7B78000-memory.dmp

Filesize
96KB

Download
memory/2720-43-0x000007FEF4A40000-0x000007FEF5AEB000-memory.dmp

Filesize
16.7MB

Download
memory/2720-50-0x000007FEF6A80000-0x000007FEF6ABF000-memory.dmp

Filesize
252KB

Download
memory/2720-51-0x000007FEF6A50000-0x000007FEF6A71000-memory.dmp

Filesize
132KB

Download
memory/2720-52-0x000007FEF6A30000-0x000007FEF6A48000-memory.dmp

Filesize
96KB

Download
memory/2720-53-0x000007FEF6A10000-0x000007FEF6A21000-memory.dmp

Filesize
68KB

Download
memory/2720-54-0x000007FEF69F0000-0x000007FEF6A01000-memory.dmp

Filesize
68KB

Download
memory/2720-55-0x000007FEF4A20000-0x000007FEF4A31000-memory.dmp

Filesize
68KB

Download
memory/2720-56-0x000007FEF4A00000-0x000007FEF4A1B000-memory.dmp

Filesize
108KB

Download
memory/2720-57-0x000007FEF49E0000-0x000007FEF49F1000-memory.dmp

Filesize
68KB

Download
memory/2720-58-0x000007FEF49C0000-0x000007FEF49D8000-memory.dmp

Filesize
96KB

Download
memory/2720-59-0x000007FEF4990000-0x000007FEF49C0000-memory.dmp

Filesize
192KB

Download
memory/2720-29-0x000007FEF5E20000-0x000007FEF60D4000-memory.dmp

Filesize
2.7MB

Download
memory/2720-61-0x000007FEF48B0000-0x000007FEF491F000-memory.dmp

Filesize
444KB

Download
memory/2720-62-0x000007FEF4890000-0x000007FEF48A1000-memory.dmp

Filesize
68KB

Download
memory/2720-63-0x000007FEF4830000-0x000007FEF4886000-memory.dmp

Filesize
344KB

Download
memory/2720-64-0x000007FEF4800000-0x000007FEF4828000-memory.dmp

Filesize
160KB

Download
memory/2720-65-0x000007FEF47D0000-0x000007FEF47F4000-memory.dmp

Filesize
144KB

Download
memory/2720-66-0x000007FEF47B0000-0x000007FEF47C7000-memory.dmp

Filesize
92KB

Download
memory/2720-67-0x000007FEF4780000-0x000007FEF47A3000-memory.dmp

Filesize
140KB

Download
memory/2720-68-0x000007FEF4760000-0x000007FEF4771000-memory.dmp

Filesize
68KB

Download
memory/2720-33-0x000007FEF70B0000-0x000007FEF70C1000-memory.dmp

Filesize
68KB

Download
memory/2720-70-0x000007FEF4710000-0x000007FEF4731000-memory.dmp

Filesize
132KB

Download
memory/2720-71-0x000007FEF46F0000-0x000007FEF4703000-memory.dmp

Filesize
76KB

Download
memory/2720-72-0x000007FEF46D0000-0x000007FEF46E2000-memory.dmp

Filesize
72KB

Download
memory/2720-73-0x000007FEF4590000-0x000007FEF46CB000-memory.dmp

Filesize
1.2MB

Download
memory/2720-74-0x000007FEF4560000-0x000007FEF458C000-memory.dmp

Filesize
176KB

Download
memory/2720-75-0x000007FEF43A0000-0x000007FEF4552000-memory.dmp

Filesize
1.7MB

Download
memory/2720-77-0x000007FEF4320000-0x000007FEF4331000-memory.dmp

Filesize
68KB

Download
memory/2720-76-0x000007FEF4340000-0x000007FEF439C000-memory.dmp

Filesize
368KB

Download
memory/2720-78-0x000007FEF4280000-0x000007FEF4317000-memory.dmp

Filesize
604KB

Download
memory/2720-79-0x000007FEF4260000-0x000007FEF4272000-memory.dmp

Filesize
72KB

Download
memory/2720-80-0x000007FEF4020000-0x000007FEF4251000-memory.dmp

Filesize
2.2MB

Download
memory/2720-81-0x000007FEF3F00000-0x000007FEF4012000-memory.dmp

Filesize
1.1MB

Download
memory/2720-82-0x000007FEF3EC0000-0x000007FEF3EF5000-memory.dmp

Filesize
212KB

Download
memory/2720-83-0x000007FEF3E90000-0x000007FEF3EB5000-memory.dmp

Filesize
148KB

Download
memory/2720-84-0x000007FEF3E70000-0x000007FEF3E81000-memory.dmp

Filesize
68KB

Download
memory/2720-85-0x000007FEF3E00000-0x000007FEF3E61000-memory.dmp

Filesize
388KB

Download
memory/2720-86-0x000007FEF3DE0000-0x000007FEF3DF1000-memory.dmp

Filesize
68KB

Download
memory/2720-87-0x000007FEF3DC0000-0x000007FEF3DD2000-memory.dmp

Filesize
72KB

Download
memory/2720-89-0x000007FEF3DA0000-0x000007FEF3DB3000-memory.dmp

Filesize
76KB

Download
memory/2720-94-0x000007FEF3D00000-0x000007FEF3D9F000-memory.dmp

Filesize
636KB

Download
memory/2720-97-0x000007FEF3CE0000-0x000007FEF3CF1000-memory.dmp

Filesize
68KB

Download
memory/2720-107-0x000000013F860000-0x000000013F958000-memory.dmp

Filesize
992KB

Download
memory/2720-109-0x000007FEF75E0000-0x000007FEF7614000-memory.dmp

Filesize
208KB

Download
memory/2720-111-0x000007FEF5E20000-0x000007FEF60D4000-memory.dmp

Filesize
2.7MB

Download
memory/2720-113-0x000007FEF4A40000-0x000007FEF5AEB000-memory.dmp

Filesize
16.7MB

Download
memory/2720-117-0x000007FEF3F00000-0x000007FEF4012000-memory.dmp

Filesize
1.1MB

Download
memory/2720-28-0x000007FEF75E0000-0x000007FEF7614000-memory.dmp

Filesize
208KB

Download
memory/2720-27-0x000000013F860000-0x000000013F958000-memory.dmp

Filesize
992KB

Download