azorult | 4e77b03fc9937ac68121e3121cf062ba0994ba4aa06d2ccde468ce2a91cda61f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCS-1600017889PO400121-2024.exe
Size

439KB
MD5

e701d67db9d3705ede459a111ccf89c6
SHA1

f08495fb38e4be8bf6bc445bf7296791d6c4db81
SHA256

4e77b03fc9937ac68121e3121cf062ba0994ba4aa06d2ccde468ce2a91cda61f
SHA512

eec6c54dda15ed582985ff875a091e1b09da7f1965b4fd9febf2eaa4701b73acf671b9a4226c3cd7c725c5eeaab91d144209f0fc12efc35d5e6d3673ccee1869
SSDEEP

12288:EiMpilGo/x8uusxz4Yypk8D8lK+3pvGxuqTypR6snVWvHSb:EiMSGo/x8uus2YyC8olyuqKRnVWu

Score

10^/10

azorult guloader collection discovery downloader infostealer spyware stealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 5 IoCs

Processes:

DOCS-1600017889PO400121-2024.exeDOCS-1600017889PO400121-2024.exe

pid	process
1880	DOCS-1600017889PO400121-2024.exe
1936	DOCS-1600017889PO400121-2024.exe
1936	DOCS-1600017889PO400121-2024.exe
1936	DOCS-1600017889PO400121-2024.exe
1936	DOCS-1600017889PO400121-2024.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

DOCS-1600017889PO400121-2024.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DOCS-1600017889PO400121-2024.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	DOCS-1600017889PO400121-2024.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	DOCS-1600017889PO400121-2024.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

pid process

1936 DOCS-1600017889PO400121-2024.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DOCS-1600017889PO400121-2024.exeDOCS-1600017889PO400121-2024.exe

pid process

1880 DOCS-1600017889PO400121-2024.exe
1936 DOCS-1600017889PO400121-2024.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

description pid process target process

PID 1880 set thread context of 1936 1880 DOCS-1600017889PO400121-2024.exe DOCS-1600017889PO400121-2024.exe
Drops file in Program Files directory 1 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

description ioc process

File opened for modification C:\Program Files (x86)\elvtedelen\calamined.hat DOCS-1600017889PO400121-2024.exe
Drops file in Windows directory 1 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

description ioc process

File opened for modification C:\Windows\Fonts\snibbed\Voss.fre DOCS-1600017889PO400121-2024.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3016 1936 WerFault.exe DOCS-1600017889PO400121-2024.exe

pid	process
1936	DOCS-1600017889PO400121-2024.exe

description	pid	process	target process
PID 1880 set thread context of 1936	1880	DOCS-1600017889PO400121-2024.exe	DOCS-1600017889PO400121-2024.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\elvtedelen\calamined.hat	DOCS-1600017889PO400121-2024.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\snibbed\Voss.fre	DOCS-1600017889PO400121-2024.exe

pid	pid_target	process	target process
3016	1936	WerFault.exe	DOCS-1600017889PO400121-2024.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DOCS-1600017889PO400121-2024.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DOCS-1600017889PO400121-2024.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DOCS-1600017889PO400121-2024.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

pid process

1936 DOCS-1600017889PO400121-2024.exe
1936 DOCS-1600017889PO400121-2024.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

pid process

1880 DOCS-1600017889PO400121-2024.exe

pid	process
1936	DOCS-1600017889PO400121-2024.exe
1936	DOCS-1600017889PO400121-2024.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

description	pid	process	target process
PID 1880 wrote to memory of 1936	1880	DOCS-1600017889PO400121-2024.exe	DOCS-1600017889PO400121-2024.exe
PID 1880 wrote to memory of 1936	1880	DOCS-1600017889PO400121-2024.exe	DOCS-1600017889PO400121-2024.exe
PID 1880 wrote to memory of 1936	1880	DOCS-1600017889PO400121-2024.exe	DOCS-1600017889PO400121-2024.exe
PID 1880 wrote to memory of 1936	1880	DOCS-1600017889PO400121-2024.exe	DOCS-1600017889PO400121-2024.exe
PID 1880 wrote to memory of 1936	1880	DOCS-1600017889PO400121-2024.exe	DOCS-1600017889PO400121-2024.exe
PID 1880 wrote to memory of 1936	1880	DOCS-1600017889PO400121-2024.exe	DOCS-1600017889PO400121-2024.exe

outlook_office_path 1 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	DOCS-1600017889PO400121-2024.exe

outlook_win_path 1 IoCs

Processes:

DOCS-1600017889PO400121-2024.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	DOCS-1600017889PO400121-2024.exe

C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe
"C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe
"C:\Users\Admin\AppData\Local\Temp\DOCS-1600017889PO400121-2024.exe"
2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1848
3⤵
- Program crash
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1936 -ip 1936
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2001EC75\mozglue.dll

Filesize
135KB

MD5
9e682f1eb98a9d41468fc3e50f907635

SHA1
85e0ceca36f657ddf6547aa0744f0855a27527ee

SHA256
830533bb569594ec2f7c07896b90225006b90a9af108f49d6fb6bebd02428b2d

SHA512
230230722d61ac1089fabf3f2decfa04f9296498f8e2a2a49b1527797dca67b5a11ab8656f04087acadf873fa8976400d57c77c404eba4aff89d92b9986f32ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\2001EC75\msvcp140.dll

Filesize
184KB

MD5
faa633626a29608203d48145c53dba89

SHA1
10dd9aa10da4585c8ef03167f922b3c33c3b7830

SHA256
d052e6cef70999589970f75ab387899d4490bab84cbfa0e6026c6a0dfb62c799

SHA512
d95b0ca8ad5765ada7456c4d687b7c86b05e52b7737c3b00bde8ff4071e1bea36442137e155f52a98998699281082a025d5299ac554f6fddde8cdb40aaa8e7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\2001EC75\nss3.dll

Filesize
163KB

MD5
7c2c05b0ebcf450b61727acb5dafa914

SHA1
e9e8a287cee556c83e0030102ff6873d652292aa

SHA256
b85340ef2a4b9dd8a5fd5371a55c001070a77817df612030a16dd91182a4f7d4

SHA512
53a03bef58e97f1cba5544ab87da0045f5762989b24b943e35e21042327d5f5f66271dbe7c64d9225990f10b4e3a421e97ca2bbcf55875702773ef91b20d3615

Download Submit
C:\Users\Admin\AppData\Local\Temp\2001EC75\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf6080.tmp\System.dll

Filesize
12KB

MD5
d968cb2b98b83c03a9f02dd9b8df97dc

SHA1
d784c9b7a92dce58a5038beb62a48ff509e166a0

SHA256
a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

SHA512
2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

Download Submit
memory/1880-17-0x0000000004B50000-0x0000000005FDD000-memory.dmp

Filesize
20.6MB

Download
memory/1880-18-0x0000000077171000-0x0000000077291000-memory.dmp

Filesize
1.1MB

Download
memory/1880-19-0x0000000073DC0000-0x0000000073DC7000-memory.dmp

Filesize
28KB

Download
memory/1880-22-0x0000000004B50000-0x0000000005FDD000-memory.dmp

Filesize
20.6MB

Download
memory/1936-26-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/1936-25-0x0000000000590000-0x0000000001A1D000-memory.dmp

Filesize
20.6MB

Download
memory/1936-27-0x0000000072B60000-0x0000000073DB4000-memory.dmp

Filesize
18.3MB

Download
memory/1936-28-0x0000000000590000-0x0000000001A1D000-memory.dmp

Filesize
20.6MB

Download
memory/1936-29-0x0000000072B60000-0x0000000073DB4000-memory.dmp

Filesize
18.3MB

Download
memory/1936-30-0x0000000077171000-0x0000000077291000-memory.dmp

Filesize
1.1MB

Download
memory/1936-31-0x0000000072B60000-0x0000000073DB4000-memory.dmp

Filesize
18.3MB

Download
memory/1936-24-0x0000000072B60000-0x0000000073DB4000-memory.dmp

Filesize
18.3MB

Download
memory/1936-23-0x0000000077215000-0x0000000077216000-memory.dmp

Filesize
4KB

Download
memory/1936-21-0x00000000771F8000-0x00000000771F9000-memory.dmp

Filesize
4KB

Download
memory/1936-20-0x0000000000590000-0x0000000001A1D000-memory.dmp

Filesize
20.6MB

Download
memory/1936-92-0x0000000072B60000-0x0000000073DB4000-memory.dmp

Filesize
18.3MB

Download