azorult | 81367795956e95f29bc717f98bbae4e5a568badb8226aafa08774156df2b129f

General

Target

371268663c923cffb927f6a5d151ff56.exe
Size

3.1MB
MD5

371268663c923cffb927f6a5d151ff56
SHA1

f009c7ae7ff41fcdeda11dcd0323d3a38a026718
SHA256

81367795956e95f29bc717f98bbae4e5a568badb8226aafa08774156df2b129f
SHA512

4ac459dc845ae3cd69ef0e2591fb3f26e16a54b1cfd2a913fd2691f64612a6858b34cece03613536f26310516b850bbcc222fc091bce8feb415bb985f92ac16d
SSDEEP

98304:QdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf83:QdNB4ianUstYuUR2CSHsVP83

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

test.exeFile.exetmp.exe

pid process

2792 test.exe
540 File.exe
2620 tmp.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exetest.exeFile.exe

pid process

2696 cmd.exe
2792 test.exe
540 File.exe
540 File.exe
2792 test.exe
540 File.exe

pid	process
2792	test.exe
540	File.exe
2620	tmp.exe

pid	process
2696	cmd.exe
2792	test.exe
540	File.exe
540	File.exe
2792	test.exe
540	File.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2320-1-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2320-44-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2320-48-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

test.exeFile.exe

pid process

2792 test.exe
540 File.exe
2792 test.exe
540 File.exe
2792 test.exe
540 File.exe
2792 test.exe
540 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2792 test.exe
Token: SeDebugPrivilege 540 File.exe

pid	process
2792	test.exe
540	File.exe
2792	test.exe
540	File.exe
2792	test.exe
540	File.exe
2792	test.exe
540	File.exe

description	pid	process
Token: SeDebugPrivilege	2792	test.exe
Token: SeDebugPrivilege	540	File.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

371268663c923cffb927f6a5d151ff56.execmd.exetest.exeFile.execmd.execmd.exe

description	pid	process	target process
PID 2320 wrote to memory of 2696	2320	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2320 wrote to memory of 2696	2320	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2320 wrote to memory of 2696	2320	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2320 wrote to memory of 2696	2320	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2696 wrote to memory of 2792	2696	cmd.exe	test.exe
PID 2696 wrote to memory of 2792	2696	cmd.exe	test.exe
PID 2696 wrote to memory of 2792	2696	cmd.exe	test.exe
PID 2696 wrote to memory of 2792	2696	cmd.exe	test.exe
PID 2696 wrote to memory of 2792	2696	cmd.exe	test.exe
PID 2696 wrote to memory of 2792	2696	cmd.exe	test.exe
PID 2696 wrote to memory of 2792	2696	cmd.exe	test.exe
PID 2792 wrote to memory of 540	2792	test.exe	File.exe
PID 2792 wrote to memory of 540	2792	test.exe	File.exe
PID 2792 wrote to memory of 540	2792	test.exe	File.exe
PID 2792 wrote to memory of 540	2792	test.exe	File.exe
PID 2792 wrote to memory of 540	2792	test.exe	File.exe
PID 2792 wrote to memory of 540	2792	test.exe	File.exe
PID 2792 wrote to memory of 540	2792	test.exe	File.exe
PID 540 wrote to memory of 2620	540	File.exe	tmp.exe
PID 540 wrote to memory of 2620	540	File.exe	tmp.exe
PID 540 wrote to memory of 2620	540	File.exe	tmp.exe
PID 540 wrote to memory of 2620	540	File.exe	tmp.exe
PID 2792 wrote to memory of 2616	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 2616	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 2616	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 2616	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 524	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 524	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 524	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 524	2792	test.exe	cmd.exe
PID 540 wrote to memory of 1052	540	File.exe	cmd.exe
PID 540 wrote to memory of 1052	540	File.exe	cmd.exe
PID 540 wrote to memory of 1052	540	File.exe	cmd.exe
PID 540 wrote to memory of 1052	540	File.exe	cmd.exe
PID 524 wrote to memory of 968	524	cmd.exe	reg.exe
PID 524 wrote to memory of 968	524	cmd.exe	reg.exe
PID 524 wrote to memory of 968	524	cmd.exe	reg.exe
PID 524 wrote to memory of 968	524	cmd.exe	reg.exe
PID 540 wrote to memory of 2744	540	File.exe	cmd.exe
PID 540 wrote to memory of 2744	540	File.exe	cmd.exe
PID 540 wrote to memory of 2744	540	File.exe	cmd.exe
PID 540 wrote to memory of 2744	540	File.exe	cmd.exe
PID 2744 wrote to memory of 2916	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2916	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2916	2744	cmd.exe	reg.exe
PID 2744 wrote to memory of 2916	2744	cmd.exe	reg.exe
PID 2792 wrote to memory of 2956	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 2956	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 2956	2792	test.exe	cmd.exe
PID 2792 wrote to memory of 2956	2792	test.exe	cmd.exe
PID 540 wrote to memory of 2980	540	File.exe	cmd.exe
PID 540 wrote to memory of 2980	540	File.exe	cmd.exe
PID 540 wrote to memory of 2980	540	File.exe	cmd.exe
PID 540 wrote to memory of 2980	540	File.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\371268663c923cffb927f6a5d151ff56.exe
"C:\Users\Admin\AppData\Local\Temp\371268663c923cffb927f6a5d151ff56.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        NTFS ADS
        
        PID:2980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2744
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:1052
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:524
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      NTFS ADS
      PID:2956
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:2616

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
342KB

MD5
37c82e15058e2f8f5e9525b956e6440d

SHA1
3bf20d00bd7a7943c4066d534f5b276cac5ae39f

SHA256
80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7

SHA512
5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
memory/540-17-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/540-46-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/540-16-0x0000000000300000-0x000000000035C000-memory.dmp

Filesize
368KB

Download
memory/540-18-0x0000000000500000-0x0000000000524000-memory.dmp

Filesize
144KB

Download
memory/540-19-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2320-44-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2320-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2320-48-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2620-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2792-8-0x0000000004430000-0x00000000044B6000-memory.dmp

Filesize
536KB

Download
memory/2792-7-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/2792-5-0x0000000000F40000-0x000000000102E000-memory.dmp

Filesize
952KB

Download
memory/2792-6-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-47-0x00000000746B0000-0x0000000074D9E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads