azorult | bdebf9684f9ba88ecb64f1fd22d729457016c64d32aadfc7318fc25c20265af9

General

Target

Ziraat Bankasi Swift Mesaji.pdf.exe
Size

616KB
MD5

7c35f85b5f2d8d303236aaa99f39d5b3
SHA1

17c34784402e9c2fc9cd310507a7e6fb58a53459
SHA256

bdebf9684f9ba88ecb64f1fd22d729457016c64d32aadfc7318fc25c20265af9
SHA512

b9ff73306cb6349f67a6156bb83c8bda1ffc2e4d84e2f7c3abf2a34c7fe042e726310848dca6cc48de46ca4549197581f1cd04925c90159ed6a2003a10532d58
SSDEEP

12288:b+8XG5SFEyclCv8epDWww/rRxf7XRHlSdWGx9hq3ChcXWgkHm:b+8BFslS8epCwwr7XRkda3ChcOHm

Score

10^/10

azorult infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Loads dropped DLL 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

pid process

4464 Ziraat Bankasi Swift Mesaji.pdf.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

pid process

4416 Ziraat Bankasi Swift Mesaji.pdf.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exeZiraat Bankasi Swift Mesaji.pdf.exe

pid process

4464 Ziraat Bankasi Swift Mesaji.pdf.exe
4416 Ziraat Bankasi Swift Mesaji.pdf.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description pid process target process

PID 4464 set thread context of 4416 4464 Ziraat Bankasi Swift Mesaji.pdf.exe Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
4464	Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
4416	Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
4464	Ziraat Bankasi Swift Mesaji.pdf.exe
4416	Ziraat Bankasi Swift Mesaji.pdf.exe

description	pid	process	target process
PID 4464 set thread context of 4416	4464	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe

Drops file in Windows directory 4 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description	ioc	process
File opened for modification	C:\Windows\Kogekunsters227\arnement.ini	Ziraat Bankasi Swift Mesaji.pdf.exe
File opened for modification	C:\Windows\Fonts\buskvksterne.ini	Ziraat Bankasi Swift Mesaji.pdf.exe
File created	C:\Windows\Fonts\nabogrunde\sedimentarily.lnk	Ziraat Bankasi Swift Mesaji.pdf.exe
File created	C:\Windows\chondriome\apotekerdisciplenes.lnk	Ziraat Bankasi Swift Mesaji.pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

pid process

4464 Ziraat Bankasi Swift Mesaji.pdf.exe

pid	process
4464	Ziraat Bankasi Swift Mesaji.pdf.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.pdf.exe

description	pid	process	target process
PID 4464 wrote to memory of 4416	4464	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 4464 wrote to memory of 4416	4464	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 4464 wrote to memory of 4416	4464	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 4464 wrote to memory of 4416	4464	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe
PID 4464 wrote to memory of 4416	4464	Ziraat Bankasi Swift Mesaji.pdf.exe	Ziraat Bankasi Swift Mesaji.pdf.exe

C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.pdf.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\divisa.ini

Filesize
37B

MD5
6afbceba786a45c12c432275ca8fa2fd

SHA1
a0ba442f9661309d3cd11da7783ee6b2ff8926cd

SHA256
c48e9a91c089b7e2bdbdad49e8841ee05d4051bffe2ca304982195ea26b96eb8

SHA512
449aaf84e4f5eb18c06ce20bf0a3fadcd59428388cc02f60ca02d268dae61869044b6e65515ec3c3f7a71bdcbc1a689d0897de167f148a31d7d0bd0431c45550

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy661A.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\Docimasy.ini

Filesize
35B

MD5
07aa3c5f11b10fbd989d1cd144d9f5ec

SHA1
1cb0349287f9171642f1dfca482697aebd172cca

SHA256
2e9c5f3febbb36f97f3e5da2edc82d49e020b4b36b38faafd121326c8de8e710

SHA512
a854cde4122d050363cfcb167c72aa367018835f497b13b4e73536910bcb38bff5ba4261f4075bf96c41c065718fb15d7228c3b59f12c81fb3ea09932f4960b1

Download Submit
memory/4416-72-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/4416-62-0x0000000077CA8000-0x0000000077CA9000-memory.dmp

Filesize
4KB

Download
memory/4416-63-0x0000000077CC5000-0x0000000077CC6000-memory.dmp

Filesize
4KB

Download
memory/4416-70-0x0000000073610000-0x0000000074864000-memory.dmp

Filesize
18.3MB

Download
memory/4416-71-0x0000000000500000-0x00000000053E3000-memory.dmp

Filesize
78.9MB

Download
memory/4416-74-0x0000000073610000-0x0000000074864000-memory.dmp

Filesize
18.3MB

Download
memory/4416-73-0x0000000000500000-0x00000000053E3000-memory.dmp

Filesize
78.9MB

Download
memory/4416-76-0x0000000077C21000-0x0000000077D41000-memory.dmp

Filesize
1.1MB

Download
memory/4464-61-0x0000000074870000-0x0000000074877000-memory.dmp

Filesize
28KB

Download
memory/4464-60-0x0000000077C21000-0x0000000077D41000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing