azorult | 3a202ee1deaeda21a66a8de098965cdbd111b3a53c9ab85be0d282d9464c96c1

General

Target

20c677bfe746ef21cb647ec197118313.exe
Size

500KB
MD5

20c677bfe746ef21cb647ec197118313
SHA1

579f6027d4f2d2d26d0a66080b60f00069aad5a0
SHA256

3a202ee1deaeda21a66a8de098965cdbd111b3a53c9ab85be0d282d9464c96c1
SHA512

c5a276d717c19563a0391d3aa0d7d084334126b3bb9aae95fecacd1b0fa340060ce182b417120e82d92abd0c84f4cf51e94806a4443bc6ca6ecf77ea33c3e4a0
SSDEEP

12288:9caIS4qCQ/s50L2ArSmPoPdAttEOpmysMkPQadTPxywtP:A7zXA2ArfPoP0tEOjsLPQuyC

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://petcf.com/az/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

20c677bfe746ef21cb647ec197118313.exe

description pid process target process

PID 2536 set thread context of 2616 2536 20c677bfe746ef21cb647ec197118313.exe 20c677bfe746ef21cb647ec197118313.exe

description	pid	process	target process
PID 2536 set thread context of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

20c677bfe746ef21cb647ec197118313.exe

pid	process
2536	20c677bfe746ef21cb647ec197118313.exe
2536	20c677bfe746ef21cb647ec197118313.exe
2536	20c677bfe746ef21cb647ec197118313.exe
2536	20c677bfe746ef21cb647ec197118313.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

20c677bfe746ef21cb647ec197118313.exe

description pid process

Token: SeDebugPrivilege 2536 20c677bfe746ef21cb647ec197118313.exe

description	pid	process
Token: SeDebugPrivilege	2536	20c677bfe746ef21cb647ec197118313.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

20c677bfe746ef21cb647ec197118313.exe

C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe
"C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe
  "C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe"
  2⤵
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe
  "C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe"
  2⤵
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe
  "C:\Users\Admin\AppData\Local\Temp\20c677bfe746ef21cb647ec197118313.exe"
  2⤵
  PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2536-24-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-1-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2536-3-0x0000000000640000-0x000000000065C000-memory.dmp

Filesize
112KB

Download
memory/2536-4-0x0000000074480000-0x0000000074B6E000-memory.dmp

Filesize
6.9MB

Download
memory/2536-5-0x0000000004D70000-0x0000000004DB0000-memory.dmp

Filesize
256KB

Download
memory/2536-6-0x0000000004FF0000-0x000000000504C000-memory.dmp

Filesize
368KB

Download
memory/2536-7-0x0000000000A30000-0x0000000000A5C000-memory.dmp

Filesize
176KB

Download
memory/2536-0-0x0000000000F30000-0x0000000000FB4000-memory.dmp

Filesize
528KB

Download
memory/2616-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-22-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2616-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

description	pid	process	target process
PID 2536 wrote to memory of 2584	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2584	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2584	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2584	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2592	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2592	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2592	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2592	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe
PID 2536 wrote to memory of 2616	2536	20c677bfe746ef21cb647ec197118313.exe	20c677bfe746ef21cb647ec197118313.exe

Analysis

Sharing