azorult | bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413

Analysis

max time kernel
0s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
23-12-2023 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe Download Manager.exe
Size

2.0MB
MD5

c04ab7d36b2e6e8175fe2e0fa8dccf14
SHA1

6516b7e30fc92ced182230288726e517251db430
SHA256

bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
SHA512

c3bc065567b5d302c62c83a67426e465a7000aca9a99d3169c488d54ed9824972e327846109af12314d25ab10180c370468c63b11eb05aac1b3bed7d2110d753
SSDEEP

24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB

Score

10^/10

azorult quasar ebayprofiles infostealer spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes

encryption_key
MWhG6wsClMX8aJM2CVXT
install_name
winsock.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win defender run
subdirectory
SubDir

Extracted

Family

azorult

http://0x21.in:8000/_az/

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 12 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
behavioral1/memory/2140-41-0x0000000000EB0000-0x0000000000F0E000-memory.dmp	family_quasar
\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
behavioral1/memory/2828-60-0x0000000000360000-0x00000000003BE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar
\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2712 2148 WerFault.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2480 schtasks.exe
948 schtasks.exe
1812 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Adobe Download Manager.exe

pid process

2216 Adobe Download Manager.exe
2216 Adobe Download Manager.exe

flow	ioc
5	ip-api.com

pid	pid_target	process
2712	2148	WerFault.exe

pid	process
2480	schtasks.exe
948	schtasks.exe
1812	schtasks.exe

pid	process
2216	Adobe Download Manager.exe
2216	Adobe Download Manager.exe

C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Download Manager.exe"
2⤵
PID:2636

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2480

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
PID:2140

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
3⤵
PID:2828

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:948

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 160
1⤵
- Program crash
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
1⤵
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
32KB

MD5
0d3fbd137993977377a181dc9be9cb23

SHA1
706feb5e29c4df48ccad18fde026cad17bbe8f11

SHA256
70408762de423114d3d5b1ecae5b40cdb882957db33ee8835eaa5aab9bc7458e

SHA512
a2abee53d03ed8145ed0b0d38e26490be5a4f4aadad00c746c6f52838cd58f659ef9c8a018229aa753c3cd22494bb2168a398910eace3905c4f4e34c886e6c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
50KB

MD5
d9a46bc5044bb43e3ff93211194a7793

SHA1
3631ccf86e7bec7b22484f67d34caa3f003adcd7

SHA256
5ca228dc26011829eb91e9a944eeb8eefe05adf03e5c281b04c93dc84d6c3858

SHA512
8342c2ab4a267a929807a5646e6921372cce702595be4821133fa9cde55d51eec5e658a00ad95c0f030b72badabe6f73f23332ccc4a06e3041bc3a3a95b5895f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
117KB

MD5
55ece710a60f75046845a54d2af90166

SHA1
7d5150227639eaa68bdc66da3f0e57884e00944d

SHA256
a0351a4ec1bccd6ebe1ad1b2711fe41cac97e826541dee54502067ed4fab60de

SHA512
8d0dd2b2bfa7f22d1a290807dfdaa566910bfd5e3e981aca87a46e99cabd6d65590ebf96dfbab75577215aa2166367275af9945653b149a6adc869fec4e5a9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
29KB

MD5
5f95d3f0061661ea00bff1f17d837062

SHA1
4593a4649549d21768457ca0e3169ad6543bb751

SHA256
250b9304d13e1ffcd224fecd769ea26300b05b07497b2266f691b4ca3927339e

SHA512
63f7b5a4f20580d21b12fecdd746fc34cdc7c97ad14191e90a0e78bba7f6e32cdbd58b34aea2216f70dfb34c8cd8fc3553bd9744e515e2a2f5536b28912191ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
28KB

MD5
c7de4af91a9da9d4c40d6a2b45852f6c

SHA1
fbab0610b0ab335c7d896a9de2a2f7889261e1c2

SHA256
10576b515e6482e4570cf4e839e890d3b6d63a05672fe14d6014d1257a871764

SHA512
96d0f3af21b41453c4c893fb15d9c7a97d65866f4eb5cd47826623272c721cd61be20b0eb32b36e57d3c36ba351e710fdb0d0a693fb380486cf74afeb62369d3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
18KB

MD5
bee8b62e9dea83b5d5ce26df5e7a40b3

SHA1
d27b8a4bf91065f54bee35bb14ad2c3c5071fcd5

SHA256
1906babf7a3f11d8321565062cacacfb1a96ef67d25f506497c9e74ff75b2b54

SHA512
31261551042c879dac6dc1089c64e7d8435d15822f71636aeb24161c9960d51393b0b30165e07f1eeac5719b59922decd288d1b71913a37cca7ff424286adbda

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
5KB

MD5
64f63b65544d3521f7dd9dda43bf3b8c

SHA1
669a11b036d61c983a81e860864da2020acdbb2a

SHA256
704c105076982013ded1f899789c0620b3169b435d8aa2260143c597667f4f84

SHA512
155cdcebebb57276d73894daebca806444f3e2b90d258998332663cf31ef9711c6036479a708e1d864076f4a0a30028b041de552989d84d93c8136672e2435d1

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
1KB

MD5
3b714145a64459db203a962b3e47ba18

SHA1
b4093e7777443048f2a36e70d26609b8acd69fe7

SHA256
0610c855b67d4eafd3cf32dbba1b4746795774b2a4584d2dbe270a10d2687b13

SHA512
8ff5e17d98806a40c669615bfbad036447f5560180bc995b4786710b24025419e42f56c75d058fb90c024e47479c74a26f1745d8e1da92fb1ef6f5234efc935c

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
32KB

MD5
9814588a640a6556da411c18e53b3ac3

SHA1
37ee8f5119ea5553904e2c5548f0e00071d36bd2

SHA256
d9003b9592874d17ca6b44389b1fefdc4d01ba22ed4e74d68320356424744ca7

SHA512
661e0171cf179768415653d7dcf4333155ddc1e9d0b64c9e0e09dd35d56d384674338d049b4dae4c77bd631e51c2ae9420784874aba25f84c865f9b08f197f74

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
5KB

MD5
3af151487fb30f412d2b7855f3bc5609

SHA1
438ce528ef5236604658e1c862def48ecd628ecf

SHA256
36154cf596a3431fbbdbfd720411f51b6a683a5b75092bb3a76a9bc672440eb1

SHA512
faa302775f42233e8b2803b2649c209780c3dfc9c7845c5f013671579d5d5817c4b50252a5ecd49b6d3225248e7d891ba22eb54564844a7d397023c178530230

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
13KB

MD5
7925a7ee380054fe84cd29fbee4cb678

SHA1
116eecdc2e4c3a369a4025fc5bcc12878eac52ba

SHA256
a20cfa7c2c561d9d35019d1e683868a3f37b170cb6688fa1edcfddbaa8040554

SHA512
2c82c4a479adbafcd057a548a60f2a0797b226599dc41ed2bd3cd3b2dd331f48c02ec59f284fe42ba6524dfb7269e8850a4b86526421822c271ed4e783fdc19d

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
38KB

MD5
72affead8ce7b87ae18677f87aa48dc7

SHA1
5565f9697d06deb666ce41dc2c30babed90e3555

SHA256
f7ec31f5db0df19d3186801c22074c37789f3e7dea13b3c22b62f9571e40bfc6

SHA512
c1c2efbb7fbb1de91ff48b841e8a31db6dacdf175d3cc4fc96d6dd3c2bf2edcf55b22db350d21422367c0701cc4cd6cd497faf64211efdba24ab121656d172af

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
50KB

MD5
5f05933a0dfe58cb5b70c3cf2835c109

SHA1
0a5f1a081a63b2e6a52b58464f6087a3eae0f2de

SHA256
d96fb84fa7e697cb508a00d04d71e5b1f13bfa36842ae32da783d9d99714cc12

SHA512
61e282eee6ea46b5096bfb3498cfe61445a0b74e992b2deec5a79b29c263c7146d68d3804f2fd9d943ff3e54c064a84b2963d48fc09f03efa4da693910fc62e3

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
43KB

MD5
680189c2dfcb56685ca7ea3df29887a4

SHA1
78d79b2362e559cccc578f9aa009246d32ef6ff1

SHA256
e1ce174b34642a7dea9f5715e9e8c6fd3d1f8a4bac4259daeedeb688f5349a0a

SHA512
8d09cef9121e3edd6dca01910cdaf9e0a7b51be93a06152613680575ba982506ca6570b553b2d151bb43639b004af10fce639f0bc92296d4997b4a43932942e6

Download Submit
\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
23KB

MD5
22c68473579a0ba1f5e58f38ec82a819

SHA1
961019fc330ec8ced9a5a80231dcea587b052036

SHA256
6914d2567d9403e8b4919a3a00b8679db18106cd6d57098fe636d8c951061dfd

SHA512
9371d190c24f93b72bbf25e8e67bf139c18340bc95a3598ed1ece57fc1e302794c2aea5ea9212b377a715c8f0b0f9ddc7aa9d954797e2bbd923adf94d4f0c898

Download Submit
\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
23KB

MD5
3b4c63cd2ed788593fb129deb3c9c1df

SHA1
4ef2e748252adc2c218674362dd7f78a956b4307

SHA256
e8a37b7a25b39b1a0765f4b5d0f479eced3b761183e62918ee2d57da956d8a87

SHA512
73d3292202906d94a6268cff3bdb2fcb1b83f4833a7a11f3a0ee426420a4aa8de81b65f2cb28bc916516a81b717b8ba04f772e52a3e532c9f34c568a3cc3eec0

Download Submit
\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
75KB

MD5
0dd71afdf4cc2375d8e63d09e11a8c83

SHA1
a259ac04e94683a8c4acdb37bd21525cafea9707

SHA256
d07f044edc6332e80ad9b06700b7908cb074db0f8faf21b9f88c0d934f312350

SHA512
f32606fd7cb40e5411c34d26ce9eb54fe766ef38ba9b32a96e5f2ca60cbff57d815ce39823d921498a252d698adb5db10db7fdb42af5a029e509faa6a194be15

Download Submit
\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
67KB

MD5
1852a2a68cd4c87e68184580c99ceea8

SHA1
2b67c7db8887aef8a5c1dd0f06db337b681635a5

SHA256
3342aca6693d2d279cc60042a67d3cc5c9498386eb4b775e5be5087ab75932b4

SHA512
6a24fd967b20eb879ac04d3040b7da178b73048a70444e8a220ffc47cfe0821fedfa6b91363bd2048af847eb57ee500bfb798f8810c14aad40476c6e1bb8626b

Download Submit
\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
32KB

MD5
b29f66e7b7b4a8a03efa7a0dce5aa8fc

SHA1
e8866c88ebe28509b11ebea5de62724862cf061f

SHA256
e02a48a5cb6408e188f859ee7366ac92d91859d29158e44d7b2cf573cd72fa64

SHA512
94acd7a3ca15827447df0fadc185370511bf3678ad46d35a5fe51552f9025fff8776afd927db7f2e0ca5d843eabfe4657ab480b17ce72447d5464035a2b11a73

Download Submit
\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
12KB

MD5
597ebe13188229f807af923afa996e05

SHA1
0d482218e9c0cf92be61f35db4a9736ec0678323

SHA256
1dc62c67047cb4b8ec845bea32b89c60055423ddf1db7bb8cdd8b7f7a999308c

SHA512
4f72301a41d3ffafdaf247799191c9fb4fd75275922462a75eb7610bbe612f9f3f37340d62a7d5d0ddb299a4ea82d940af291d9b3e0d6ad9c3192d7e99ecc34a

Download Submit
memory/2140-41-0x0000000000EB0000-0x0000000000F0E000-memory.dmp

Filesize
376KB

Download
memory/2140-52-0x0000000004AD0000-0x0000000004B10000-memory.dmp

Filesize
256KB

Download
memory/2140-51-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2140-61-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-29-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/2636-44-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2636-30-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2636-32-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2636-39-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-62-0x0000000073D60000-0x000000007444E000-memory.dmp

Filesize
6.9MB

Download
memory/2828-63-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2828-60-0x0000000000360000-0x00000000003BE000-memory.dmp

Filesize
376KB

Download