azorult | adfe6558bd5a1a7daec955583a619308369d3c9d400b8f99d3400e0792227d8b

General

Target

f423e4da4814af3f0a2e85deede8546c.exe
Size

3.1MB
MD5

f423e4da4814af3f0a2e85deede8546c
SHA1

0d9d30ce5fdda6dac9b616b6e468db8af44e34b1
SHA256

adfe6558bd5a1a7daec955583a619308369d3c9d400b8f99d3400e0792227d8b
SHA512

8bfac9aa115fd18883c62fb9840c3a67d55c84e496a5be889e1fededc8890cb3c09780164761b23c9afa248bc820d9e27fda4c53c311360ab40a7f1ca9670881
SSDEEP

98304:8dNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8h:8dNB4ianUstYuUR2CSHsVP8h

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 2 IoCs

Processes:

test.exeFile.exe

pid process

2648 test.exe
1336 File.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exetest.exe

pid process

1860 cmd.exe
2648 test.exe

pid	process
2648	test.exe
1336	File.exe

pid	process
1860	cmd.exe
2648	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2248-1-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2248-31-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2248-53-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

test.exeFile.exe

pid process

2648 test.exe
1336 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2648 test.exe
Token: SeDebugPrivilege 1336 File.exe

pid	process
2648	test.exe
1336	File.exe

description	pid	process
Token: SeDebugPrivilege	2648	test.exe
Token: SeDebugPrivilege	1336	File.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

f423e4da4814af3f0a2e85deede8546c.execmd.exetest.exe

description	pid	process	target process
PID 2248 wrote to memory of 1860	2248	f423e4da4814af3f0a2e85deede8546c.exe	cmd.exe
PID 2248 wrote to memory of 1860	2248	f423e4da4814af3f0a2e85deede8546c.exe	cmd.exe
PID 2248 wrote to memory of 1860	2248	f423e4da4814af3f0a2e85deede8546c.exe	cmd.exe
PID 2248 wrote to memory of 1860	2248	f423e4da4814af3f0a2e85deede8546c.exe	cmd.exe
PID 1860 wrote to memory of 2648	1860	cmd.exe	test.exe
PID 1860 wrote to memory of 2648	1860	cmd.exe	test.exe
PID 1860 wrote to memory of 2648	1860	cmd.exe	test.exe
PID 1860 wrote to memory of 2648	1860	cmd.exe	test.exe
PID 1860 wrote to memory of 2648	1860	cmd.exe	test.exe
PID 1860 wrote to memory of 2648	1860	cmd.exe	test.exe
PID 1860 wrote to memory of 2648	1860	cmd.exe	test.exe
PID 2648 wrote to memory of 1336	2648	test.exe	File.exe
PID 2648 wrote to memory of 1336	2648	test.exe	File.exe
PID 2648 wrote to memory of 1336	2648	test.exe	File.exe
PID 2648 wrote to memory of 1336	2648	test.exe	File.exe
PID 2648 wrote to memory of 1336	2648	test.exe	File.exe
PID 2648 wrote to memory of 1336	2648	test.exe	File.exe
PID 2648 wrote to memory of 1336	2648	test.exe	File.exe

C:\Users\Admin\AppData\Local\Temp\f423e4da4814af3f0a2e85deede8546c.exe
"C:\Users\Admin\AppData\Local\Temp\f423e4da4814af3f0a2e85deede8546c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1336
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        
        PID:2236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:2140

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
280KB

MD5
f8178402fb6c3889b2d3ff74c5c67aea

SHA1
ab08d06282f02efb3b20367a9c5049b65f28bbe1

SHA256
860a9bd3095bdb3cd3f6f30830b558ce7267730064bf925c8e1aa3cacf11775a

SHA512
551a24ef012bbd2cb56c7fe1e1fd4e29275408b67ceca1eb5d60b4bf1e1e21b6e8c385727de644bad1b165e8700f5f749d3f0dd715d1cfc2cb18519ddc6e8b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
92KB

MD5
3576acc7092cc10a942b528fcb03eacf

SHA1
2866b901de367bab10124d65bb99d5c6e6ae8e3c

SHA256
a54496f3db7910aa54354041230fee43e1bc503b82e2158523298dd84466165f

SHA512
9bfe97946849224a0ed3225ab71006003dfc4230f8920b0a214af965ed98fef6b33d5bae24268c2bece5f94a7423b93ee343b220b0dc1ad3abdbf64f3c691489

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
92KB

MD5
b14a170e8ce123d0c0233ee9b4c8682e

SHA1
0a332bd23e108aea4dba88a969d8e5c7af101902

SHA256
dc57abd6afc62d9913d160336310909d44cce02dbbd422d22f3477b9ece4c8d9

SHA512
69a120d6979e0951180019be6c08add6b39411d379a9fcbbe81fa99da645a32e04efe93c2a75bb9fc15595f237cfa2b7059ab8f4b52e2502432ee04503428f03

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
64KB

MD5
ec31c24f2df9e1e243cf0829ce0e38af

SHA1
02834f171eeb134fe530a409d50b73c60a783a40

SHA256
c3ebdc0391444f27c33bb71bd14935d334aa5c73cbdbcb2ced1311663fbdf715

SHA512
f3ca1bb6bdc7b9f49d8c3209a8c817316208f328211463e92023ffdc9c88c8287f09927c4a4aff6d38fa472dcef52869098155cc2a908a44fa8bebc1decc3e8f

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1336-16-0x0000000000360000-0x00000000003BC000-memory.dmp

Filesize
368KB

Download
memory/1336-50-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1336-18-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/1336-17-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1336-52-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/1336-19-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/2236-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2248-31-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2248-53-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2248-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2648-7-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/2648-5-0x0000000000030000-0x000000000011E000-memory.dmp

Filesize
952KB

Download
memory/2648-6-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-47-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download
memory/2648-49-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/2648-8-0x0000000004990000-0x0000000004A16000-memory.dmp

Filesize
536KB

Download
memory/2648-51-0x0000000074980000-0x000000007506E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing