azorult | adfe6558bd5a1a7daec955583a619308369d3c9d400b8f99d3400e0792227d8b

Analysis

max time kernel
5s
max time network
126s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f423e4da4814af3f0a2e85deede8546c.exe
Size

3.1MB
MD5

f423e4da4814af3f0a2e85deede8546c
SHA1

0d9d30ce5fdda6dac9b616b6e468db8af44e34b1
SHA256

adfe6558bd5a1a7daec955583a619308369d3c9d400b8f99d3400e0792227d8b
SHA512

8bfac9aa115fd18883c62fb9840c3a67d55c84e496a5be889e1fededc8890cb3c09780164761b23c9afa248bc820d9e27fda4c53c311360ab40a7f1ca9670881
SSDEEP

98304:8dNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8h:8dNB4ianUstYuUR2CSHsVP8h

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

pid	Process
2856	test.exe
1808	File.exe

Loads dropped DLL 2 IoCs

pid	Process
3020	cmd.exe
2856	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2928-45-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2928-49-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2856	test.exe
1808	File.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	test.exe
Token: SeDebugPrivilege	1808	File.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 3020	2928	f423e4da4814af3f0a2e85deede8546c.exe	19
PID 2928 wrote to memory of 3020	2928	f423e4da4814af3f0a2e85deede8546c.exe	19
PID 2928 wrote to memory of 3020	2928	f423e4da4814af3f0a2e85deede8546c.exe	19
PID 2928 wrote to memory of 3020	2928	f423e4da4814af3f0a2e85deede8546c.exe	19
PID 3020 wrote to memory of 2856	3020	cmd.exe	18
PID 3020 wrote to memory of 2856	3020	cmd.exe	18
PID 3020 wrote to memory of 2856	3020	cmd.exe	18
PID 3020 wrote to memory of 2856	3020	cmd.exe	18
PID 3020 wrote to memory of 2856	3020	cmd.exe	18
PID 3020 wrote to memory of 2856	3020	cmd.exe	18
PID 3020 wrote to memory of 2856	3020	cmd.exe	18
PID 2856 wrote to memory of 1808	2856	test.exe	22
PID 2856 wrote to memory of 1808	2856	test.exe	22
PID 2856 wrote to memory of 1808	2856	test.exe	22
PID 2856 wrote to memory of 1808	2856	test.exe	22
PID 2856 wrote to memory of 1808	2856	test.exe	22
PID 2856 wrote to memory of 1808	2856	test.exe	22
PID 2856 wrote to memory of 1808	2856	test.exe	22

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
    3⤵
    PID:972
- - C:\Users\Admin\AppData\Roaming\tmp.exe
    "C:\Users\Admin\AppData\Roaming\tmp.exe"
    3⤵
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  PID:952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\f423e4da4814af3f0a2e85deede8546c.exe
"C:\Users\Admin\AppData\Local\Temp\f423e4da4814af3f0a2e85deede8546c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
139KB

MD5
9a166386db9cc8147944e1686800d4a0

SHA1
dc35a3575dfd213f18a92f6251b842d56b9de72f

SHA256
3d9ecd07d669e319961bc729d2c92ede9686414ed69b1ba89acc52566f5bb094

SHA512
cdbf0a47079b06e0a2e2bc6f10236d5e8290231a2c36e164097246e96954dad2afdff37d7f35f5a2d22298310b14ff9e9b38230a5b0564cdc929af91659edbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
342KB

MD5
37c82e15058e2f8f5e9525b956e6440d

SHA1
3bf20d00bd7a7943c4066d534f5b276cac5ae39f

SHA256
80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7

SHA512
5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
208KB

MD5
0e8ef37cc938cd45647ef96be1535e7c

SHA1
396558685c1fe314a7037215538806a9d28d09c5

SHA256
d3351205924be476e96e1ed9c565b1efc98e419f15868364a0122c69a74a83d9

SHA512
c9a69bb1e28674df83499a432be1893260cfe15cbfbcd10f2768b0a08c5c60be9608820062f1a013f92c2eac2fc6bb987eb70c203021a42d977216ee94ec17d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
92KB

MD5
b14a170e8ce123d0c0233ee9b4c8682e

SHA1
0a332bd23e108aea4dba88a969d8e5c7af101902

SHA256
dc57abd6afc62d9913d160336310909d44cce02dbbd422d22f3477b9ece4c8d9

SHA512
69a120d6979e0951180019be6c08add6b39411d379a9fcbbe81fa99da645a32e04efe93c2a75bb9fc15595f237cfa2b7059ab8f4b52e2502432ee04503428f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
95KB

MD5
4a012df7629c688bb8c1954ec2f44815

SHA1
0a08cea6f5b59d7e474d34601f11ddfa8c27c950

SHA256
691e0dca5787a7828c9fa049993ad5cae5063b6094ad3825809a2e34b9d00e9c

SHA512
296b4c1fe94277870ae71baa142e834518b9c3e463d0e7f29f9a4249acaf0f05512069144944a34b3e8a5963ac0026b97545a06db5326c75b07aa1fbcdd5cf1a

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
16KB

MD5
ae6fc30212e709273acd625f65202772

SHA1
8b9a5f7655447da17834a3811192de75a32f36f1

SHA256
3dcb1aa9285d16fa961b1c451a00683bae1a84f389b5be40aa09b52a8670d991

SHA512
474a6b881cdb1cd160efde722f0d2d3a1b31900441e837e4b93c8b368f9316de175114b3458294137f9222a7587c3cc1f417f3352a085344087bf19c9377db0b

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
148KB

MD5
7416d57e901df3304be84ca252a89800

SHA1
b47cbbcd749da5d72376155bc972a05b14570fb9

SHA256
8485eaed10daf8896304ab3e4825e619051b4ba3bacd06dbd99fbd0c0482266e

SHA512
d041e74c2f96f4e9c00aa666b0356b2f91e66d611b0666c5c0afa1b30d2a0ac0c4072f691e6e59bd5075c29635ab560483fe758fd12d6987d4a4fc032f002ff3

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
101KB

MD5
f4ec655fb5249d5fc20c319e55697025

SHA1
73694244d3fc03b9d1111e97efe77a66e0945336

SHA256
3401a95017de364f2fc6e37f67921075585d09d3ce10316144e939ad1c6674b2

SHA512
d82def8525fe1b852a32258e29fff79cffdf2229698159d2a5be88cbd1388e40833de182b99aa74a48ed286eba504d203fadd975f7a344b89a5373524ad2fa33

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
92KB

MD5
e0addd280f5d08e98cd28190db9ff173

SHA1
762c35240c806485d936103716991ec518edb973

SHA256
fc941645429189b502848d70bff0cff94e0391af5295e571591c23cb6099e67a

SHA512
e087b75a77c10f0849633ddb2f2f658388580f19b1dc9345c79d41ef14eda18dd8b70017d180612cfa8a6461d332be3cdfce850d2c2f14a4b408a69f94b7de81

Download Submit
memory/1808-19-0x00000000004F0000-0x0000000000530000-memory.dmp

Filesize
256KB

Download
memory/1808-16-0x0000000000E80000-0x0000000000EDC000-memory.dmp

Filesize
368KB

Download
memory/1808-17-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/1808-18-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1808-47-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2116-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2856-48-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-7-0x0000000001110000-0x0000000001150000-memory.dmp

Filesize
256KB

Download
memory/2856-6-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2856-5-0x00000000011D0000-0x00000000012BE000-memory.dmp

Filesize
952KB

Download
memory/2856-8-0x00000000005B0000-0x0000000000636000-memory.dmp

Filesize
536KB

Download
memory/2856-46-0x0000000074500000-0x0000000074BEE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2928-49-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2928-45-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download