azorult | f46b5a20bbcff8379332d912fe03e03274a3d05621a33b7c46b9fe8e95623730

Analysis

max time kernel
7s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
Size

2.0MB
MD5

c04ab7d36b2e6e8175fe2e0fa8dccf14
SHA1

6516b7e30fc92ced182230288726e517251db430
SHA256

bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413
SHA512

c3bc065567b5d302c62c83a67426e465a7000aca9a99d3169c488d54ed9824972e327846109af12314d25ab10180c370468c63b11eb05aac1b3bed7d2110d753
SSDEEP

24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKYP:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YB

Score

10^/10

azorult quasar ebayprofiles infostealer spyware trojan

Malware Config

Extracted

Family

azorult

http://0x21.in:8000/_az/

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes

encryption_key
MWhG6wsClMX8aJM2CVXT
install_name
winsock.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win defender run
subdirectory
SubDir

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1712-25-0x0000000000880000-0x00000000008DE000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\windef.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe	family_quasar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

40 ip-api.com

flow	ioc
40	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	autoit_exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	autoit_exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1476 4112 WerFault.exe winsock.exe
2672 5080 WerFault.exe winsock.exe
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1172 schtasks.exe
2184 schtasks.exe
5084 schtasks.exe
2020 schtasks.exe
4516 schtasks.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4252 PING.EXE
1196 PING.EXE

pid	pid_target	process	target process
1476	4112	WerFault.exe	winsock.exe
2672	5080	WerFault.exe	winsock.exe

pid	process
1172	schtasks.exe
2184	schtasks.exe
5084	schtasks.exe
2020	schtasks.exe
4516	schtasks.exe

pid	process
4252	PING.EXE
1196	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe

pid	process
1820	bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
1820	bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
1820	bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
1820	bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe

C:\Users\Admin\AppData\Local\Temp\bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
"C:\Users\Admin\AppData\Local\Temp\bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe
"C:\Users\Admin\AppData\Local\Temp\bc2075cbfaa127a6a3f684bb42bae6f11861258630e37422ebd832d2f2b40413.exe"
2⤵
PID:3916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:1172

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
PID:1712

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
3⤵
PID:4112

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 2000
4⤵
- Program crash
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQJ8rkQffC6v.bat" "
4⤵
PID:2444

C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
"C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
5⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1768
6⤵
- Program crash
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qjeeAv7MPrvg.bat" "
6⤵
PID:828

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2184

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:544

C:\Users\Admin\AppData\Local\Temp\windef.exe
"C:\Users\Admin\AppData\Local\Temp\windef.exe"
2⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\vnc.exe
"C:\Users\Admin\AppData\Local\Temp\vnc.exe"
2⤵
PID:4288

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
"C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
2⤵
PID:4868

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
2⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
1⤵
PID:1340

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:3488

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4112 -ip 4112
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5080 -ip 5080
1⤵
PID:4820

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:1196

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:3704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1108

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1772

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4572

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log
Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\NQJ8rkQffC6v.bat
Filesize
208B

MD5
0f9408ed7611a375cef4f381cffb6a37

SHA1
51737de4826083b05ef5295047e189d1d6a863dd

SHA256
74107ba1bf46f8f466f67cbeb1aa43d0f394f051fb4dda44c2e62b7f15183437

SHA512
d705b0d0db2afe83bed6fd0c9f3d02b41d469dd494beb2a8c829a5327d6057a0a8a03509fcfe8401891d146483bed50a84694e519fc5bbaedef11cc4ff7d7d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\qjeeAv7MPrvg.bat
Filesize
208B

MD5
2aa63110d56e273b6a3cc8102ca0f22f

SHA1
162c3919cb85faf1b867cdfc011703e256cea237

SHA256
25e9ddc22f52b4be5aa927348eb3bd0a4c7b0d9c685c789b191cf6b711d496b6

SHA512
0ef2314031efabdfdbebbfa5d335171eb2d097aa222f9f6dbe293ec4e701dd88cd738346d05326eaa73d805c0c4b124c886745737e7a46ee9b3ef50963798c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
17KB

MD5
acc00fd13b9691465acddc2cddd9015b

SHA1
dea73bd2f6b51b37d88268fbec24ba7d216da50c

SHA256
7698306ee38405a2ce63d179bb856be470dad12e4ecb1eb3f11ba5944679fc9f

SHA512
ccc43c91c6b2df962026e685d104060d6732a64fab227a5de1d579f88651d73e57ca3db9d052dfaed3a48333ffff0c2eaf855de9d388ae258ce5b76bedc26cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe
Filesize
48KB

MD5
6355d6a666016bfa161f599bf075a57e

SHA1
b2f080a0ff4637de79ddc93e4525411997873433

SHA256
dafedda21bf68f2c341e44c4e9f912b14577ea3da9b262c9afac066fb1b0e4eb

SHA512
6e33375b0a8e2a8b1b67a0a4075ba249645e166051ab75d60ef66a5828dfbd4aeea611fc2fdad7afe7dc86d61b592a4d5613d02a652d6ec4dc3e89750ba270e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
13KB

MD5
60d84b842ce6338fe29b160bf90a3892

SHA1
a6b51ed138a450ea798af1f1b74e54c35c8633a2

SHA256
c919fdbe66f14656e9dc7407c8a33b75f0d2b6aba3706582bd415947921066e4

SHA512
9eb63ffc7dbd878123200986ab699451bbcd91cbb49ea62d38153c00036270a7993b4a52b93a1ea0c90fbc232c16b460676fc6f74390e24580e0a67329de6dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
80KB

MD5
91094f43d4ba30185108200d1784e34a

SHA1
4df11b82bd823ac3fe199b63a6d9d7f9618d236f

SHA256
1676aaace8e44f8ead3d5a17cda9ab366d301eb9a2fba8b65e8d15464847039f

SHA512
a43536bf6242bbd435700235c4015f434144107ca0797aed1079d39152b0639f71705cf94c73552be5d4a250a6ef9b56d702dfad28ed9a178dec55bfbf5b55e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe
Filesize
57KB

MD5
b11c341bcaa71ece19a534dd318186e7

SHA1
e21b0804febb8a2fe526cea33d701f7bce078612

SHA256
b34f27c82d8ac76c30f7340fb6d728c5c3817a3e86365cfd45434aa0da1e0f76

SHA512
9512d6d8e552f18ed8c72ef935f1446742eb722f5cec15c8a278212646d2089cceba484d3454c6ac60172f0b1761b7b2dc2dbe2948bc750e200a28de71620505

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
Filesize
13KB

MD5
b48f00929e4efdf342dead5839448df4

SHA1
6671026eea7085cd1389648eee9d922ca2a8e11a

SHA256
c28fd413ca59737e18d14b0a829e88421323cfdd09fb70cdd6931eca5b317a60

SHA512
d1ebc96dc994e91ce1f400ebe67490b95f6aeefcb6ca19de0b3dd7f7d868735b599d1ef10f7d761a35ccc021aee261a0d3de0e194703144b05ab345a4c55631f

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
Filesize
16KB

MD5
ec6092eb8883ee18cb7fe02837f9fa58

SHA1
7702f02399496b0956f998436a3f5c84f03a0939

SHA256
6c0dbb1629d39557c78cfb8260365abbeef0c81c5abba2e28e5c2cc4501b64ad

SHA512
0580baf4d8c12890e7228c0db8878fb0dc53ba6033c92745c526d6a88e4a3ca0229b46d3ca2e703a60fef2795f50e83a46861cd5c73ad1fabcefce1b91f40dce

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
Filesize
25KB

MD5
86da8b38f3ae887e7f78ca25488f26de

SHA1
28c411cd582db041ba2545233e8f112cbf0faf0d

SHA256
ec56a4eec94d2fe53fe9728ffe626b8b9a5d00c75fe2bb769768b9bab89bdd1d

SHA512
8d3c190d1652a498b2d4fa90d7cb059c4dc1e053dcdbea93f6b1bf58b86d6f5e7fac381c2ef2399a873b5abb1d0c321da97da9a0bea7b62d1b1fb52c6d821082

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
Filesize
6KB

MD5
9d37b539938f2a1bc648b49270630a3f

SHA1
6a591c25832632fe9e822b3a663fbc64c7d8dc0f

SHA256
6a462f8a211101e1e79fba293c07ca364e7a781982faca4ca9a343d38049ed3b

SHA512
937aace4fda6760cd378dadcfa785e1cd19abfa77a5e776d827fa31ad135d1917a7c7693b7c5f0f31720e8b691b1368c3a8e830257f8a546881fd50315ed5dfa

Download Submit
memory/1340-88-0x00000000005A0000-0x000000000063C000-memory.dmp

Filesize
624KB

Download
memory/1340-107-0x00000000005A0000-0x000000000063C000-memory.dmp

Filesize
624KB

Download
memory/1340-82-0x00000000005A0000-0x000000000063C000-memory.dmp

Filesize
624KB

Download
memory/1340-84-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1620-79-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/1620-100-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/1620-80-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1712-42-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1712-23-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/1712-53-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/1712-25-0x0000000000880000-0x00000000008DE000-memory.dmp

Filesize
376KB

Download
memory/1712-34-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/1712-45-0x0000000006750000-0x000000000678C000-memory.dmp

Filesize
240KB

Download
memory/1712-44-0x0000000005750000-0x0000000005762000-memory.dmp

Filesize
72KB

Download
memory/1712-43-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/1712-41-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/1820-18-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/3916-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3916-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4112-52-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/4112-83-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/4112-54-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4112-56-0x00000000064B0000-0x00000000064BA000-memory.dmp

Filesize
40KB

Download
memory/4112-90-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4112-105-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/4588-29-0x0000000000980000-0x0000000000A1C000-memory.dmp

Filesize
624KB

Download
memory/4588-77-0x0000000000980000-0x0000000000A1C000-memory.dmp

Filesize
624KB

Download
memory/4588-30-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/4588-38-0x0000000000980000-0x0000000000A1C000-memory.dmp

Filesize
624KB

Download
memory/4868-99-0x0000000000FB0000-0x0000000000FD0000-memory.dmp

Filesize
128KB

Download
memory/4868-89-0x0000000000FB0000-0x0000000000FD0000-memory.dmp

Filesize
128KB

Download
memory/5080-108-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/5080-109-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5080-112-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download
memory/5080-113-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5080-118-0x0000000073450000-0x0000000073C00000-memory.dmp

Filesize
7.7MB

Download