azorult | b0831c1f23202cd936470a346b97d37f39a27a364db9a15f3d2d5d33bb53de13

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 18:14

Target

4e29200e64b17b863a40a2aac18297d0.exe
Size

299KB
MD5

4e29200e64b17b863a40a2aac18297d0
SHA1

0b455c0ec403245ce1c8b54bc0c6dd6a83b9ac56
SHA256

b0831c1f23202cd936470a346b97d37f39a27a364db9a15f3d2d5d33bb53de13
SHA512

3eb664e9906f8ea8b78d23fbb4a1d399dade99be6d214f9b1ff0d7fcc84515fceb0c4dd1d783e6fda86aa2d326ea2835d55e99874aa12a2f408678f07582c680
SSDEEP

6144:YBChpJKe6hjjMLxWNLGwHIA9VAvslnLDEdG/3u9aB:MChpJKjcxARAv8+G/+6

Score

10^/10

Family

azorult

http://203.159.80.93/PL341/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Suspicious use of SetThreadContext 1 IoCs

Processes:

4e29200e64b17b863a40a2aac18297d0.exe

description pid process target process

PID 2100 set thread context of 2472 2100 4e29200e64b17b863a40a2aac18297d0.exe 4e29200e64b17b863a40a2aac18297d0.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

4e29200e64b17b863a40a2aac18297d0.exe

pid process

2100 4e29200e64b17b863a40a2aac18297d0.exe

description	pid	process	target process
PID 2100 set thread context of 2472	2100	4e29200e64b17b863a40a2aac18297d0.exe	4e29200e64b17b863a40a2aac18297d0.exe

pid	process
2100	4e29200e64b17b863a40a2aac18297d0.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

4e29200e64b17b863a40a2aac18297d0.exe

description	pid	process	target process
PID 2100 wrote to memory of 2472	2100	4e29200e64b17b863a40a2aac18297d0.exe	4e29200e64b17b863a40a2aac18297d0.exe
PID 2100 wrote to memory of 2472	2100	4e29200e64b17b863a40a2aac18297d0.exe	4e29200e64b17b863a40a2aac18297d0.exe
PID 2100 wrote to memory of 2472	2100	4e29200e64b17b863a40a2aac18297d0.exe	4e29200e64b17b863a40a2aac18297d0.exe
PID 2100 wrote to memory of 2472	2100	4e29200e64b17b863a40a2aac18297d0.exe	4e29200e64b17b863a40a2aac18297d0.exe
PID 2100 wrote to memory of 2472	2100	4e29200e64b17b863a40a2aac18297d0.exe	4e29200e64b17b863a40a2aac18297d0.exe

C:\Users\Admin\AppData\Local\Temp\4e29200e64b17b863a40a2aac18297d0.exe
"C:\Users\Admin\AppData\Local\Temp\4e29200e64b17b863a40a2aac18297d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\4e29200e64b17b863a40a2aac18297d0.exe
  "C:\Users\Admin\AppData\Local\Temp\4e29200e64b17b863a40a2aac18297d0.exe"
  2⤵
  PID:2472

memory/2100-4-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2100-1-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2100-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2472-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2472-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2472-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2472-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2472-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2472-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download