azorult | dec6b08ad93d22660e040ff56d4a6523428243741af91d0980efd00dc2521951

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

011ea7874d4283dd836277fa880e228b.exe
Size

704KB
MD5

011ea7874d4283dd836277fa880e228b
SHA1

990de8c5104409e38bc9c33d246db07003c96dd0
SHA256

dec6b08ad93d22660e040ff56d4a6523428243741af91d0980efd00dc2521951
SHA512

06eda2f49680311c9d70015adfc0f05c3fadb92cde9d984a6852b088aafc1f39694e46dd97ecca19e97e42c22590d92b1e9a359d246227459350156d7feb7cfa
SSDEEP

12288:FICNfU0r7Eimtj3QlxV5Ka4vbV124x7aWtO3RlUG5c4RFSIkuW8:pU0nEbj8NKa4P7O0KjRFC8

Score

10^/10

azorult zgrat infostealer rat trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral1/memory/1720-4-0x0000000005470000-0x0000000005534000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-20-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-42-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-66-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-68-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-64-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-62-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-60-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-58-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-56-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-54-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-52-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-50-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-48-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-46-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-44-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-40-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-38-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-36-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-34-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-32-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-30-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-28-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-26-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-24-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-22-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-18-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-16-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-14-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-12-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-10-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-8-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-6-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/1720-5-0x0000000005470000-0x000000000552F000-memory.dmp	family_zgrat_v1
behavioral1/memory/808-2007-0x0000000005190000-0x0000000005208000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
2860	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Loads dropped DLL 9 IoCs

pid	Process
2164	WScript.exe
808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe
2600	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 808 set thread context of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2600	2860	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1720	011ea7874d4283dd836277fa880e228b.exe
1720	011ea7874d4283dd836277fa880e228b.exe
808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	011ea7874d4283dd836277fa880e228b.exe
Token: SeDebugPrivilege	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2164	1720	011ea7874d4283dd836277fa880e228b.exe	31
PID 1720 wrote to memory of 2164	1720	011ea7874d4283dd836277fa880e228b.exe	31
PID 1720 wrote to memory of 2164	1720	011ea7874d4283dd836277fa880e228b.exe	31
PID 1720 wrote to memory of 2164	1720	011ea7874d4283dd836277fa880e228b.exe	31
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 2164 wrote to memory of 808	2164	WScript.exe	30
PID 2164 wrote to memory of 808	2164	WScript.exe	30
PID 2164 wrote to memory of 808	2164	WScript.exe	30
PID 2164 wrote to memory of 808	2164	WScript.exe	30
PID 1720 wrote to memory of 1660	1720	011ea7874d4283dd836277fa880e228b.exe	28
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 808 wrote to memory of 2860	808	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	36
PID 2860 wrote to memory of 2600	2860	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	35
PID 2860 wrote to memory of 2600	2860	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	35
PID 2860 wrote to memory of 2600	2860	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	35
PID 2860 wrote to memory of 2600	2860	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	35

C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe
"C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe
  C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe
  2⤵
  PID:1660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fyxzojheuxzdxbqlgokhton.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2164

C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
"C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
  C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 112
1⤵
- Loads dropped DLL
- Program crash
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-1998-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/808-4392-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/808-4379-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/808-2757-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/808-2006-0x0000000000A20000-0x0000000000A7E000-memory.dmp

Filesize
376KB

Download
memory/808-2007-0x0000000005190000-0x0000000005208000-memory.dmp

Filesize
480KB

Download
memory/808-1999-0x0000000001130000-0x000000000119A000-memory.dmp

Filesize
424KB

Download
memory/808-2002-0x0000000004EA0000-0x0000000004EE0000-memory.dmp

Filesize
256KB

Download
memory/1660-2005-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1660-2004-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1720-28-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-16-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-56-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-54-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-52-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-50-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-48-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-46-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-44-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-40-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-38-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-36-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-34-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-32-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-30-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-0-0x0000000001150000-0x0000000001206000-memory.dmp

Filesize
728KB

Download
memory/1720-26-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-24-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-22-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-629-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-18-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-58-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-14-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-12-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-10-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-8-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-6-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-5-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-60-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-2003-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-62-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-64-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-68-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-1996-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download
memory/1720-66-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-42-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-20-0x0000000005470000-0x000000000552F000-memory.dmp

Filesize
764KB

Download
memory/1720-4-0x0000000005470000-0x0000000005534000-memory.dmp

Filesize
784KB

Download
memory/1720-3-0x00000000051D0000-0x000000000527A000-memory.dmp

Filesize
680KB

Download
memory/1720-2-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

Filesize
256KB

Download
memory/1720-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download