azorult | 97afb5bb8d8c4000a604960f593e642002f9fd4253e68b5ff37f61ae76ce9a6f

Analysis

max time kernel
5s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd7d66648bb7c0b31d5951d485ee600a.exe
Size

3.1MB
MD5

bd7d66648bb7c0b31d5951d485ee600a
SHA1

360f6eb43693870d2993bc41d06a3356f3add488
SHA256

97afb5bb8d8c4000a604960f593e642002f9fd4253e68b5ff37f61ae76ce9a6f
SHA512

0b74f37db9216d32984720e16f034065d2330aadcefce870836fabf5231eb3c065fdee04368bcd2610772238360df4db94d8c33b3842d9e85ef67ed3b505d853
SSDEEP

98304:jdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:jdNB4ianUstYuUR2CSHsVP8x

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

test.exeFile.exe

pid process

2640 test.exe
2748 File.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exetest.exe

pid process

2736 cmd.exe
2640 test.exe

pid	process
2640	test.exe
2748	File.exe

pid	process
2736	cmd.exe
2640	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/356-1-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/356-46-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/356-49-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

test.exeFile.exe

pid process

2640 test.exe
2748 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2640 test.exe
Token: SeDebugPrivilege 2748 File.exe

pid	process
2640	test.exe
2748	File.exe

description	pid	process
Token: SeDebugPrivilege	2640	test.exe
Token: SeDebugPrivilege	2748	File.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bd7d66648bb7c0b31d5951d485ee600a.execmd.exetest.exe

description	pid	process	target process
PID 356 wrote to memory of 2736	356	bd7d66648bb7c0b31d5951d485ee600a.exe	cmd.exe
PID 356 wrote to memory of 2736	356	bd7d66648bb7c0b31d5951d485ee600a.exe	cmd.exe
PID 356 wrote to memory of 2736	356	bd7d66648bb7c0b31d5951d485ee600a.exe	cmd.exe
PID 356 wrote to memory of 2736	356	bd7d66648bb7c0b31d5951d485ee600a.exe	cmd.exe
PID 2736 wrote to memory of 2640	2736	cmd.exe	test.exe
PID 2736 wrote to memory of 2640	2736	cmd.exe	test.exe
PID 2736 wrote to memory of 2640	2736	cmd.exe	test.exe
PID 2736 wrote to memory of 2640	2736	cmd.exe	test.exe
PID 2736 wrote to memory of 2640	2736	cmd.exe	test.exe
PID 2736 wrote to memory of 2640	2736	cmd.exe	test.exe
PID 2736 wrote to memory of 2640	2736	cmd.exe	test.exe
PID 2640 wrote to memory of 2748	2640	test.exe	File.exe
PID 2640 wrote to memory of 2748	2640	test.exe	File.exe
PID 2640 wrote to memory of 2748	2640	test.exe	File.exe
PID 2640 wrote to memory of 2748	2640	test.exe	File.exe
PID 2640 wrote to memory of 2748	2640	test.exe	File.exe
PID 2640 wrote to memory of 2748	2640	test.exe	File.exe
PID 2640 wrote to memory of 2748	2640	test.exe	File.exe

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Users\Admin\AppData\Local\Temp\test.exe
  test.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\File.exe
    "C:\Users\Admin\AppData\Local\Temp\File.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:1660
  - - C:\Users\Admin\AppData\Roaming\tmp.exe
      "C:\Users\Admin\AppData\Roaming\tmp.exe"
      4⤵
      PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
    3⤵
    PID:2612

C:\Users\Admin\AppData\Local\Temp\bd7d66648bb7c0b31d5951d485ee600a.exe
"C:\Users\Admin\AppData\Local\Temp\bd7d66648bb7c0b31d5951d485ee600a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:356

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:1592

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
96KB

MD5
3156dc90762f0fa19b9ba18b97018b83

SHA1
898378738867a84b29757d6dc70e932becb72bd3

SHA256
f4394ba7382742545b4d11456e20942de5bc22e1cf048dcd6a434be9ba242082

SHA512
6ff398cac92ec0bd7fa883058049fa47362e58587915e154145e61a5156fc28a893f78e66526b69d093f3c350ef5e2af8edd9b9b9ecc241e7ff42ae0adca69ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
108KB

MD5
468b7cc4dfa1084aaabe1c2647a553ce

SHA1
38a0422db82395885dcda1697d319bfca0a12da7

SHA256
83fd0a953698fb041d69375c2920e367bf22a491afc345592fc9f95c2592ad9a

SHA512
b3b27da40a5a6527e90f8d6d1b5a4ef5b4ccf11c2e62be6c410033198c1bf503c170e06022997ed7a409433aba3206009aa3ba77226e4c6046ab21a7b4571bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
56KB

MD5
ffc12fc44bb596fb4dd1f9bae931a7e4

SHA1
4b4376f75160bae4d7967ec7eb655bfa89c33933

SHA256
9a752ef069bb1443d1bc9e1765fe3be3e759077165f87bab4989585547fdbd1f

SHA512
7f77320facb49e71d73ecfe74d9953e8b648cbed12cc30a91cc1eaa9d7c9bdc0905ec237eac8b9221278e55062f2ad453dcb29eb3924b5b39e2126b7bece1077

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
121KB

MD5
1c7a324a12f0a064c46665ffd1229ed2

SHA1
4f3c20ec6b180482c874af9685a8d7d5812c4aa1

SHA256
e4427c7f620aa71a9b6b05283f4afab5c243d4bfc3e36db61ac2370dc9d7018f

SHA512
8dcee5ba88d8a323541c13fcbb500499a80c63ce2b859498a7affbcdb7765636e66c1fcba9dd36ea57ac46294fd86466f21f09d4bc3cf1f32e47a8943c76498a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
150KB

MD5
400b475f5bec48dc50216753fdf385b2

SHA1
fa0c4c6b4cefc1e3b2b7a7ef3369e16e369da6ed

SHA256
cf2ecbc9a952d2fa1e43460ccd236c969b10711bf1478e672580cb026605dce0

SHA512
d73309fb083863c5ddeb37faa61005560fc8f549b300e99e4cf221308c96610e5aa007e4042497cee8cee1a98f636dac4c858336453c630978692364d459313f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
947B

MD5
19d7d9c8c4558de85deb2054366a26cc

SHA1
3edcf0db4ea0ba423430b033a52c3e147aaa8c45

SHA256
79fa9e62b6fd91a1c72dbaed5abc5c02f9dcd839f843ed5b46ebb4b98554b6c5

SHA512
10fcc29043ed9e7a73a709cc5008c5e313d4eb1fa229c07744553deb94717708cca9acc4eff34050f8d077ad2b157503087d0a1c0c34d463658ef9b6552c2478

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
85KB

MD5
00fc302bb059359d25c6a7f71995af12

SHA1
9a62b9acb830fb939a5ca7108b03ec69d848f3c7

SHA256
e12298db270fad32c7ae2c276f2ee1c24707fccbf0bda25366d2b5aef52fd60f

SHA512
dad2f8f5294743113799accaaa164cc677fae701f61b30ea48ce50fdc703ae5571dbe70a5694b513ed25e85002579f341a5f8c4861244d71e1e5da624e02682e

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
32KB

MD5
48fd6a3c05b5de6d8526e77c5eb3e393

SHA1
71ad768dd0c4b0a6747ba107b869d4e1a5015b3b

SHA256
534122dfbefff3286a22bf95f33d5d1ffd56098330c11f356bcabcbc45b35ebf

SHA512
4d2c1990ada817bea12204b1977b34f9976a08d942619c4ec84d4cb455129239e2ead4b64fa048faebbe8ef17a29c20d04c9325ee62b96115b112ef8a09f466d

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
55KB

MD5
4bcac1d6e3a14fc819115caf55424e3b

SHA1
7f6c136fdfbf954c918a060e5dcb1ace6385a44e

SHA256
9529cb405f9e3587f8449253f0c31c33d9370a31c6752419c8032bbe882363fc

SHA512
521e33416019d23e1259b7186c348f2fe1c910ac98c97e676bd58f796b71670ec2688b74262fa95275c6024456166e39c11e09f8dcc69a12b871009fe6bceca7

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
39KB

MD5
e9136469c74124215fd83f66da66699f

SHA1
c3ee7103526e12bb9be95b61f68460d937fcc064

SHA256
6f8fa9273bedb53f5082bcca8526117ddd2b219af281e6c99f2c05ce048cfeea

SHA512
22f0c3e24032e95804040d06b2b8655c607e9813db1e6ea99a61b6b9616254c6f3b4c293b55acf79e39cee9dce068b374ce771dcc7aca39fff67894a1b8bd849

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
97KB

MD5
aa8adcfbfd7d8c03f9d105d65b2516f4

SHA1
d2a122a764839021721ac2abb784efd2fd4a85c7

SHA256
e4b3f6620f822d93dd877a6aaeaeb0958272b2cbe8238cf328abadc20c280b9a

SHA512
a46a7780219b3c45b54a14758d8693e7903a5152690708363ca5d8a9c93de17b9831a6d331da2d79337400da5e10013d8f6e6cba1608b25ac07b282b9d77f76b

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
92KB

MD5
e0addd280f5d08e98cd28190db9ff173

SHA1
762c35240c806485d936103716991ec518edb973

SHA256
fc941645429189b502848d70bff0cff94e0391af5295e571591c23cb6099e67a

SHA512
e087b75a77c10f0849633ddb2f2f658388580f19b1dc9345c79d41ef14eda18dd8b70017d180612cfa8a6461d332be3cdfce850d2c2f14a4b408a69f94b7de81

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
54KB

MD5
826db473bcbfe6df08dcfaf1acdbb143

SHA1
48b2d5e54060684a48acd39747562f23bf27ce6f

SHA256
4ab2eb0055174a317044fb12c30187f2b7a258b6ef6643b702b1ce3e81db7629

SHA512
70fbc9b3517382dbb60a59ec4464f2db832ce1fdabfa707718356163ba9906f14ee07cb5afe7c5eae71040f106c596d95cdd17890c3977965f906a9507477229

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

Filesize
28KB

MD5
9f92ce14f1cf71837f855e0b579822e5

SHA1
be7fb19bbe068e41e81f83dbe98271e15a303ede

SHA256
a66029d62abfc3673ed3b2ae04a3afd355b548d2149258fdc6e3e8a46172691e

SHA512
ac48e15d6fd9028ca8f85d24b3a2c43d1d3e85221e0177f88df062ad92473e0d6b9cc032373e021db743a1d38a04721c1c23f728bf8ce70c5438384fcb21f282

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
74KB

MD5
44361bf39efe8d207923afc73e1e1af8

SHA1
d84a638624d70c7f3651308b3f0ad967e6a59c3c

SHA256
cfe5dd21748964649b9b5b46e500c6b6d366d58613b914ae6d0d6f5fa75df902

SHA512
6143b51034fe7d6551b9955b33c5f516728f694e21e76d632e11cfcf90420de1bba3640e0d9ad73072509f45069f7ca0339ee1b4cd14916ca6fca243179a4d58

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
77KB

MD5
4b5d847bd593bba15f8d7976481ce7ee

SHA1
4eb07113f263f48f687734f837623079ca7cd9bc

SHA256
de8a0df0c27733918840ab2129ab62a181fd0f6936f1a0b27da01efeef24c7da

SHA512
b6812419c42995f56231b764be2bffcd6bf6a71d09f426c90e32e70ca1b556e6db851db17872559585397221db8f2d2447e7ea612834dc5577694a102e6a44bc

Download Submit
memory/356-49-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/356-46-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/356-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2584-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2640-8-0x0000000004C70000-0x0000000004CF6000-memory.dmp

Filesize
536KB

Download
memory/2640-6-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2640-5-0x0000000000160000-0x000000000024E000-memory.dmp

Filesize
952KB

Download
memory/2640-7-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2640-47-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-16-0x0000000000860000-0x00000000008BC000-memory.dmp

Filesize
368KB

Download
memory/2748-18-0x0000000001CC0000-0x0000000001CE4000-memory.dmp

Filesize
144KB

Download
memory/2748-19-0x0000000004870000-0x00000000048B0000-memory.dmp

Filesize
256KB

Download
memory/2748-48-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2748-17-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download