azorult | aea97f90f47e652c71f2be1b083b5566a544b03ddc80cea5dfcbecc8f693b27d

General

Target

95c74cde309fcdef4b72f348f3be8467.exe
Size

839KB
MD5

95c74cde309fcdef4b72f348f3be8467
SHA1

7077cbc56d2e1d2f82b597f9970888532fda4f3d
SHA256

aea97f90f47e652c71f2be1b083b5566a544b03ddc80cea5dfcbecc8f693b27d
SHA512

70aa24b7a2fb63ed0651bda9151bd461a58afc9cd6dc3c3b7eeacdbe37c93fa10b5e2c08a8ff1cbb6dc59f6ae84aa123e772ebb2e77a32c73487544c35cd2d83
SSDEEP

24576:i7CQSUnyPyAb/bhDjoJfMpxXM+u7vR/k45kZ:F28rbtjogxFgRZkZ

Score

10^/10

azorult guloader downloader infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Loads dropped DLL 1 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

pid process

2876 95c74cde309fcdef4b72f348f3be8467.exe
Drops file in System32 directory 1 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\octocoralline\udflet.kly 95c74cde309fcdef4b72f348f3be8467.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

pid process

2768 95c74cde309fcdef4b72f348f3be8467.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe95c74cde309fcdef4b72f348f3be8467.exe

pid process

2876 95c74cde309fcdef4b72f348f3be8467.exe
2768 95c74cde309fcdef4b72f348f3be8467.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

description pid process target process

PID 2876 set thread context of 2768 2876 95c74cde309fcdef4b72f348f3be8467.exe 95c74cde309fcdef4b72f348f3be8467.exe
Drops file in Program Files directory 1 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

description ioc process

File created C:\Program Files (x86)\Alkoholpaavirkede.lnk 95c74cde309fcdef4b72f348f3be8467.exe

pid	process
2876	95c74cde309fcdef4b72f348f3be8467.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\octocoralline\udflet.kly	95c74cde309fcdef4b72f348f3be8467.exe

pid	process
2768	95c74cde309fcdef4b72f348f3be8467.exe

pid	process
2876	95c74cde309fcdef4b72f348f3be8467.exe
2768	95c74cde309fcdef4b72f348f3be8467.exe

description	pid	process	target process
PID 2876 set thread context of 2768	2876	95c74cde309fcdef4b72f348f3be8467.exe	95c74cde309fcdef4b72f348f3be8467.exe

description	ioc	process
File created	C:\Program Files (x86)\Alkoholpaavirkede.lnk	95c74cde309fcdef4b72f348f3be8467.exe

Drops file in Windows directory 2 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\sttemaskinerne.aft	95c74cde309fcdef4b72f348f3be8467.exe
File opened for modification	C:\Windows\pau.anl	95c74cde309fcdef4b72f348f3be8467.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

pid process

2876 95c74cde309fcdef4b72f348f3be8467.exe

pid	process
2876	95c74cde309fcdef4b72f348f3be8467.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

95c74cde309fcdef4b72f348f3be8467.exe

description	pid	process	target process
PID 2876 wrote to memory of 2768	2876	95c74cde309fcdef4b72f348f3be8467.exe	95c74cde309fcdef4b72f348f3be8467.exe
PID 2876 wrote to memory of 2768	2876	95c74cde309fcdef4b72f348f3be8467.exe	95c74cde309fcdef4b72f348f3be8467.exe
PID 2876 wrote to memory of 2768	2876	95c74cde309fcdef4b72f348f3be8467.exe	95c74cde309fcdef4b72f348f3be8467.exe
PID 2876 wrote to memory of 2768	2876	95c74cde309fcdef4b72f348f3be8467.exe	95c74cde309fcdef4b72f348f3be8467.exe
PID 2876 wrote to memory of 2768	2876	95c74cde309fcdef4b72f348f3be8467.exe	95c74cde309fcdef4b72f348f3be8467.exe
PID 2876 wrote to memory of 2768	2876	95c74cde309fcdef4b72f348f3be8467.exe	95c74cde309fcdef4b72f348f3be8467.exe

C:\Users\Admin\AppData\Local\Temp\95c74cde309fcdef4b72f348f3be8467.exe
"C:\Users\Admin\AppData\Local\Temp\95c74cde309fcdef4b72f348f3be8467.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\95c74cde309fcdef4b72f348f3be8467.exe
  "C:\Users\Admin\AppData\Local\Temp\95c74cde309fcdef4b72f348f3be8467.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\regdir.ini

Filesize
23B

MD5
c92bd40da0253a8950d8212a10a45b7a

SHA1
51b8c9ec204739dc6533aedb479e2246dc6c814e

SHA256
66254a3eeb63222b02602732fac5e85f080d77c5e257e138864931763fb955fb

SHA512
26cc58e0e7aceea7e1f3083fa8ca7e231ca71616006d34a5b73de93f1edbcb2904ab246f0ae241f2fcd51c93f467757081c381c57e1de8c77a2a8695ec4ac4e1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi282.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/2768-66-0x0000000073140000-0x00000000741A2000-memory.dmp

Filesize
16.4MB

Download
memory/2768-48-0x00000000004A0000-0x0000000001617000-memory.dmp

Filesize
17.5MB

Download
memory/2768-49-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2768-67-0x00000000004A0000-0x0000000001617000-memory.dmp

Filesize
17.5MB

Download
memory/2768-68-0x0000000073140000-0x00000000741A2000-memory.dmp

Filesize
16.4MB

Download
memory/2768-69-0x00000000004A0000-0x0000000001617000-memory.dmp

Filesize
17.5MB

Download
memory/2768-70-0x0000000073140000-0x00000000741A2000-memory.dmp

Filesize
16.4MB

Download
memory/2876-45-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2876-46-0x0000000077DB0000-0x0000000077E86000-memory.dmp

Filesize
856KB

Download
memory/2876-47-0x00000000750E0000-0x00000000750E7000-memory.dmp

Filesize
28KB

Download
memory/2876-50-0x0000000003900000-0x0000000004A77000-memory.dmp

Filesize
17.5MB

Download
memory/2876-44-0x0000000003900000-0x0000000004A77000-memory.dmp

Filesize
17.5MB

Download

Analysis

Sharing