azorult | f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05

Analysis

max time kernel
15s
max time network
103s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe Download Manager.exe
Size

2.0MB
MD5

cc38554b00499e85149b2c1c0a22473e
SHA1

13382965ec47a60dcf07aeadd7414f215099f564
SHA256

f8b6eddbe3fd90f45c93cfdaf71fe200371518c6f0c100e2aad9f193d7260c05
SHA512

0efe34a59ef8990aa40db6066128f44108c0bce914e450ba69cafae0664c3190cdbdfd0511e42a25e8f4d880e456ef2ccedcd690603e102ae4dcdf7170b2790c
SSDEEP

24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB

Score

10^/10

azorult quasar ebayprofiles infostealer spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes

encryption_key
MWhG6wsClMX8aJM2CVXT
install_name
winsock.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win defender run
subdirectory
SubDir

Extracted

Family

azorult

http://0x21.in:8000/_az/

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
behavioral1/memory/2884-49-0x0000000000350000-0x00000000003AE000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
behavioral1/memory/576-67-0x00000000010B0000-0x000000000110E000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

Processes:

vnc.exewindef.exe

pid process

2160 vnc.exe
2884 windef.exe

pid	process
2160	vnc.exe
2884	windef.exe

Loads dropped DLL 8 IoCs

Processes:

Adobe Download Manager.exe

pid	process
2488	Adobe Download Manager.exe
2488	Adobe Download Manager.exe
2488	Adobe Download Manager.exe
2488	Adobe Download Manager.exe
2488	Adobe Download Manager.exe
2488	Adobe Download Manager.exe
2488	Adobe Download Manager.exe
2488	Adobe Download Manager.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Adobe Download Manager.exe

description	ioc	process
File opened (read-only)	\??\u:	Adobe Download Manager.exe
File opened (read-only)	\??\z:	Adobe Download Manager.exe
File opened (read-only)	\??\g:	Adobe Download Manager.exe
File opened (read-only)	\??\h:	Adobe Download Manager.exe
File opened (read-only)	\??\m:	Adobe Download Manager.exe
File opened (read-only)	\??\q:	Adobe Download Manager.exe
File opened (read-only)	\??\s:	Adobe Download Manager.exe
File opened (read-only)	\??\t:	Adobe Download Manager.exe
File opened (read-only)	\??\i:	Adobe Download Manager.exe
File opened (read-only)	\??\p:	Adobe Download Manager.exe
File opened (read-only)	\??\w:	Adobe Download Manager.exe
File opened (read-only)	\??\b:	Adobe Download Manager.exe
File opened (read-only)	\??\e:	Adobe Download Manager.exe
File opened (read-only)	\??\j:	Adobe Download Manager.exe
File opened (read-only)	\??\k:	Adobe Download Manager.exe
File opened (read-only)	\??\l:	Adobe Download Manager.exe
File opened (read-only)	\??\y:	Adobe Download Manager.exe
File opened (read-only)	\??\a:	Adobe Download Manager.exe
File opened (read-only)	\??\n:	Adobe Download Manager.exe
File opened (read-only)	\??\o:	Adobe Download Manager.exe
File opened (read-only)	\??\r:	Adobe Download Manager.exe
File opened (read-only)	\??\v:	Adobe Download Manager.exe
File opened (read-only)	\??\x:	Adobe Download Manager.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com

flow	ioc
7	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vnc.exeAdobe Download Manager.exe

description	pid	process	target process
PID 2160 set thread context of 2296	2160	vnc.exe	svchost.exe
PID 2488 set thread context of 2640	2488	Adobe Download Manager.exe	Adobe Download Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2440 schtasks.exe
3068 schtasks.exe
1540 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Adobe Download Manager.exe

pid process

2488 Adobe Download Manager.exe
2488 Adobe Download Manager.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vnc.exe

pid process

2160 vnc.exe

pid	process
2440	schtasks.exe
3068	schtasks.exe
1540	schtasks.exe

pid	process
2160	vnc.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Adobe Download Manager.exevnc.exe

description	pid	process	target process
PID 2488 wrote to memory of 2160	2488	Adobe Download Manager.exe	vnc.exe
PID 2488 wrote to memory of 2160	2488	Adobe Download Manager.exe	vnc.exe
PID 2488 wrote to memory of 2160	2488	Adobe Download Manager.exe	vnc.exe
PID 2488 wrote to memory of 2160	2488	Adobe Download Manager.exe	vnc.exe
PID 2160 wrote to memory of 2296	2160	vnc.exe	svchost.exe
PID 2160 wrote to memory of 2296	2160	vnc.exe	svchost.exe
PID 2160 wrote to memory of 2296	2160	vnc.exe	svchost.exe
PID 2160 wrote to memory of 2296	2160	vnc.exe	svchost.exe
PID 2488 wrote to memory of 2884	2488	Adobe Download Manager.exe	windef.exe
PID 2488 wrote to memory of 2884	2488	Adobe Download Manager.exe	windef.exe
PID 2488 wrote to memory of 2884	2488	Adobe Download Manager.exe	windef.exe
PID 2488 wrote to memory of 2884	2488	Adobe Download Manager.exe	windef.exe
PID 2160 wrote to memory of 2296	2160	vnc.exe	svchost.exe
PID 2488 wrote to memory of 2640	2488	Adobe Download Manager.exe	Adobe Download Manager.exe
PID 2488 wrote to memory of 2640	2488	Adobe Download Manager.exe	Adobe Download Manager.exe
PID 2488 wrote to memory of 2640	2488	Adobe Download Manager.exe	Adobe Download Manager.exe
PID 2488 wrote to memory of 2640	2488	Adobe Download Manager.exe	Adobe Download Manager.exe
PID 2488 wrote to memory of 2640	2488	Adobe Download Manager.exe	Adobe Download Manager.exe
PID 2160 wrote to memory of 2296	2160	vnc.exe	svchost.exe
PID 2488 wrote to memory of 2640	2488	Adobe Download Manager.exe	Adobe Download Manager.exe
PID 2488 wrote to memory of 2440	2488	Adobe Download Manager.exe	schtasks.exe
PID 2488 wrote to memory of 2440	2488	Adobe Download Manager.exe	schtasks.exe
PID 2488 wrote to memory of 2440	2488	Adobe Download Manager.exe	schtasks.exe
PID 2488 wrote to memory of 2440	2488	Adobe Download Manager.exe	schtasks.exe
PID 2160 wrote to memory of 2296	2160	vnc.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
- Maps connected drives based on registry
PID:2296

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3068

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
3⤵
PID:576

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ZWiTC4dk98DU.bat" "
4⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
2⤵
PID:2640

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZWiTC4dk98DU.bat
Filesize
208B

MD5
82c98e7d10a90b2daf68f4b8760f5dcf

SHA1
75a86a676afde809868d3f7458602bd766ff4eb5

SHA256
98a2356683361045503c800135e33e72e9cdf560820d6e9f8a40f355417d7221

SHA512
8e561512e758ff742c58d0ec388e6304660be617420f7a142e93b084c22b2314c826811bdc7a0cc13ac8de6ca08858a9efc4f7877fa7919cecfac04ed92e86dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
334KB

MD5
4f6ea1405fef425639688dbfe289547c

SHA1
e1bf123bd0a394f0e0bf4b4d4fce8126344f0599

SHA256
4782076c2c755267fa97ec048fcd53dc666c928446177e4222271095911ad5b2

SHA512
0610b04f4995a46a4e4d7f7b76ebbcafb2e7fa9bf87e82b41402d8570b54dc67fcc488ca2ab94628b0b611e420c11b0bd608f2eeb80fdf394e30bd74f51e478b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
280KB

MD5
923b4774825a50409f2720c2266ee7ff

SHA1
8cc9c1f9f578b32228ea783abc505581003a7aa4

SHA256
34c2cb7b6a218fabdfd8e239c214f3d74214d7a22d2a4fe2138e60e198bc8ad3

SHA512
f68d8afec524510b159e2f4029a161ae1bfaf2f18feb60fdb975837d98f52284bf613178a7fb7592475e9a574e235d3e1f9491ecba0262f27b6b8063f965067d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
122KB

MD5
e270f61a8ad0d7899edf088c36485516

SHA1
44d1f054cb7d5c996fd86a812ea770dd3921895d

SHA256
a9362e691c895a4f3ff1c4a59611e4bd6cbc5b051d62e0ed02b914ae8a3f2a71

SHA512
c29df0487154939b354cfeb5782b7566810973773879fef818c3e83d6afa983094ff7c2478b01636887856223b50837beb6bd23893571148ca8dd76c6214b597

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
61KB

MD5
9d9b40b9f36bd639d5c47171205deba5

SHA1
0c14c59ae754af3000edd3ac96c63b94f498b44d

SHA256
cca9e5b2ca4195d85f333d867287c73f30049360ff49d457775b68de034f711e

SHA512
d9966a98f33cd79c4401075ed2f59d176ca662c6d8c51674fa968e25bea6dfae7932ce3beab6232104d68b24caa5e7b350c62ec58975838641d43a2d4d790e4b

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
405KB

MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
334KB

MD5
b2bc4bfa5cd7a7442334b44a03746393

SHA1
aa9d2eed0d2dfa51a3e922b8076ea7ca438f1747

SHA256
3c240a7626120d8324f37fb5fa8956acc0e0c33b658702632a8e4297127d9a46

SHA512
d9abc465867aed961e169512f34e082f194c98bc7b99f8a418a55553836457b304ec1a63fafbe6909274466cef9290e0fda41df60ab2f9618100f479748419bd

Download Submit
\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
349KB

MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
341KB

MD5
9cbcd4eba51e251ad9bfbb9c2e580988

SHA1
3b06f544375526a121c8c7e69a096a759c64d853

SHA256
d74efdc4bda3d33c3e1cd4aa67dde4bc22664a04314d738afdfd86d8894b4f17

SHA512
dc528ce94ae7852f7eb5682acb139c79f04a8556429c5b8dce01cee5447a0c49ac9dff7d7d0debdbbfb95cb48f3658d14828df1d4b964ad7d7283ed55112feb9

Download Submit
\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
303KB

MD5
4bc8a69c888f2e749865e7c31a436a85

SHA1
78fced407df3eea9e151796b649aadefec622095

SHA256
6ae9db0a5a9435510911f3e52a91b42f42e1c3ef66fce2e9040ae06a9be76cd1

SHA512
33c73fc8ab8500c916b3422489f0aaa0ee306afd8a5e97932e4b47a649e28f0b38a6d7e6f7db54de213edda44472dd176fa3d78ceefe1611e849bdb3e4eed420

Download Submit
\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
55KB

MD5
7fdc28b6baa5c8bacde1c7f8d4425244

SHA1
1ee6a8e1b4e35db4d5cfd5edf4e33e0c5f9f60fd

SHA256
7efc58e9c9eb5e86404625ae8c9fb181519d3a5614c921045d36d2ebab11918c

SHA512
b8035d350e3f20706ef5bba1bdf3a7f4adb85932d3fcf7d39ff5f1fdd2b4ee03fee9490c267f2f3fda94489476ed079fbe6865f94f7d6f9569e60ae9156416a8

Download Submit
memory/576-66-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/576-70-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/576-67-0x00000000010B0000-0x000000000110E000-memory.dmp

Filesize
376KB

Download
memory/2296-57-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2296-35-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2296-42-0x0000000000270000-0x000000000030C000-memory.dmp

Filesize
624KB

Download
memory/2296-50-0x0000000000270000-0x000000000030C000-memory.dmp

Filesize
624KB

Download
memory/2296-56-0x0000000000270000-0x000000000030C000-memory.dmp

Filesize
624KB

Download
memory/2296-39-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2488-29-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2640-33-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2640-31-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2640-43-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-52-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2884-58-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/2884-55-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download
memory/2884-49-0x0000000000350000-0x00000000003AE000-memory.dmp

Filesize
376KB

Download
memory/2884-68-0x00000000740F0000-0x00000000747DE000-memory.dmp

Filesize
6.9MB

Download