azorult | cdb4f82771d838d1641a0749e9726ad77edcc91b7d34162da03f36a3d201df43

General

Target

b43c38b648f6f242c023d744a3d4aced.exe
Size

354KB
MD5

b43c38b648f6f242c023d744a3d4aced
SHA1

c6044466c0f859645482f2565fad4854d0fbf586
SHA256

cdb4f82771d838d1641a0749e9726ad77edcc91b7d34162da03f36a3d201df43
SHA512

0e4c99addc2e9a9ad21cc20846204cca9c87f926b273738c0b4d39905a29cc07e69a1225321a75114fac6cb4c2c5a0f3d903ad15c0b157e2745889b0ac156866
SSDEEP

6144:y0NUHxKsXA0NK8AMKaoMzPegiu083yPAaQZxRcSov3Rkee0SNyQjutzjKQ:y3bKmlXzGgiuByPA/ee0xj

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b43c38b648f6f242c023d744a3d4aced.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	b43c38b648f6f242c023d744a3d4aced.exe

Loads dropped DLL 4 IoCs

Processes:

b43c38b648f6f242c023d744a3d4aced.exe

pid	process
4364	b43c38b648f6f242c023d744a3d4aced.exe
4364	b43c38b648f6f242c023d744a3d4aced.exe
4364	b43c38b648f6f242c023d744a3d4aced.exe
4364	b43c38b648f6f242c023d744a3d4aced.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

b43c38b648f6f242c023d744a3d4aced.exe

description pid process target process

PID 2276 set thread context of 4364 2276 b43c38b648f6f242c023d744a3d4aced.exe b43c38b648f6f242c023d744a3d4aced.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2276 set thread context of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b43c38b648f6f242c023d744a3d4aced.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	b43c38b648f6f242c023d744a3d4aced.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	b43c38b648f6f242c023d744a3d4aced.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5108 timeout.exe

pid	process
5108	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b43c38b648f6f242c023d744a3d4aced.exeb43c38b648f6f242c023d744a3d4aced.exe

pid	process
2276	b43c38b648f6f242c023d744a3d4aced.exe
2276	b43c38b648f6f242c023d744a3d4aced.exe
4364	b43c38b648f6f242c023d744a3d4aced.exe
4364	b43c38b648f6f242c023d744a3d4aced.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b43c38b648f6f242c023d744a3d4aced.exe

description pid process

Token: SeDebugPrivilege 2276 b43c38b648f6f242c023d744a3d4aced.exe

description	pid	process
Token: SeDebugPrivilege	2276	b43c38b648f6f242c023d744a3d4aced.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b43c38b648f6f242c023d744a3d4aced.exeb43c38b648f6f242c023d744a3d4aced.execmd.exe

C:\Users\Admin\AppData\Local\Temp\b43c38b648f6f242c023d744a3d4aced.exe
"C:\Users\Admin\AppData\Local\Temp\b43c38b648f6f242c023d744a3d4aced.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\b43c38b648f6f242c023d744a3d4aced.exe
  C:\Users\Admin\AppData\Local\Temp\b43c38b648f6f242c023d744a3d4aced.exe
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\b43c38b648f6f242c023d744a3d4aced.exe
  C:\Users\Admin\AppData\Local\Temp\b43c38b648f6f242c023d744a3d4aced.exe
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "b43c38b648f6f242c023d744a3d4aced.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\SysWOW64\timeout.exe
      C:\Windows\system32\timeout.exe 3
      4⤵
      Delays execution with timeout.exe
      PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CA7B1EDB\mozglue.dll

Filesize
135KB

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA7B1EDB\msvcp140.dll

Filesize
177KB

MD5
a936e855a81d7466c0da4cbe35f3c1c0

SHA1
936c5551a21c18afbaf0500dd9f54cf9f9ea0210

SHA256
5eb328711993091fd66f30b30b2ed096fbf84583d7f028d1c344f5af9766d4f9

SHA512
cebcddad7493d793d163ebf28dd34c0d34bf7dfa194e6fdef17ece36dade53a365409a794f76efd6ef89dc81a44ae92582f7c740cac95861bf1539d2088d449c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA7B1EDB\nss3.dll

Filesize
704KB

MD5
d936d9a242f83f67dafc413dca9d4411

SHA1
c92c4dd0fbd3345e8984b6ac13217cd35186e1b9

SHA256
b5e0ebfe41555c20ef22a14825bfb09a6f80ec86fb7c8b2c3ba8f2e54acfd66d

SHA512
f84eb2471ac7a99958103d296ec4f8f9d5ed55f797c2a9d62c411e349491994ed47058c6c62ed81b95ce2b2b23590fbfbbbe821a546e6961002d64a3f8263c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA7B1EDB\vcruntime140.dll

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2276-8-0x00000000051E0000-0x000000000521A000-memory.dmp

Filesize
232KB

Download
memory/2276-4-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/2276-6-0x0000000005050000-0x00000000050A2000-memory.dmp

Filesize
328KB

Download
memory/2276-7-0x00000000050A0000-0x00000000050DA000-memory.dmp

Filesize
232KB

Download
memory/2276-0-0x0000000000380000-0x00000000003DE000-memory.dmp

Filesize
376KB

Download
memory/2276-9-0x0000000005220000-0x000000000526C000-memory.dmp

Filesize
304KB

Download
memory/2276-1-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2276-2-0x0000000005290000-0x0000000005834000-memory.dmp

Filesize
5.6MB

Download
memory/2276-3-0x0000000004DC0000-0x0000000004E52000-memory.dmp

Filesize
584KB

Download
memory/2276-15-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2276-5-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/4364-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4364-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4364-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4364-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

description	pid	process	target process
PID 2276 wrote to memory of 1656	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 1656	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 1656	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 2276 wrote to memory of 4364	2276	b43c38b648f6f242c023d744a3d4aced.exe	b43c38b648f6f242c023d744a3d4aced.exe
PID 4364 wrote to memory of 3700	4364	b43c38b648f6f242c023d744a3d4aced.exe	cmd.exe
PID 4364 wrote to memory of 3700	4364	b43c38b648f6f242c023d744a3d4aced.exe	cmd.exe
PID 4364 wrote to memory of 3700	4364	b43c38b648f6f242c023d744a3d4aced.exe	cmd.exe
PID 3700 wrote to memory of 5108	3700	cmd.exe	timeout.exe
PID 3700 wrote to memory of 5108	3700	cmd.exe	timeout.exe
PID 3700 wrote to memory of 5108	3700	cmd.exe	timeout.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads