azorult | 8b80621cf6ee6cfef0091af3fd0f2c39a92f0c4efe2d6ec9dc5986d519628d07

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
17-01-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

629151c519ea438d8c8f1123eb71e751.exe
Size

3.1MB
MD5

629151c519ea438d8c8f1123eb71e751
SHA1

5b6c259947cce3501afb81393890157f1d1fb87f
SHA256

8b80621cf6ee6cfef0091af3fd0f2c39a92f0c4efe2d6ec9dc5986d519628d07
SHA512

8f592cedbc824a6820c0f37de614fd0f00492bcedd20468e5af00e91f3f06fbe0016421aa87a3f7d68512413226f1ae5e5b82ba4feae19f0a6a0b9f5a296be88
SSDEEP

98304:XdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:XdNB4ianUstYuUR2CSHsVP8x

Score

10^/10

azorult infostealer trojan upx

Malware Config

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

test.exeFile.exetmp.exe

pid process

2736 test.exe
2728 File.exe
2692 tmp.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exetest.exeFile.exe

pid process

3068 cmd.exe
2736 test.exe
2728 File.exe
2728 File.exe
2736 test.exe
2728 File.exe

pid	process
2736	test.exe
2728	File.exe
2692	tmp.exe

pid	process
3068	cmd.exe
2736	test.exe
2728	File.exe
2728	File.exe
2736	test.exe
2728	File.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2400-1-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2400-46-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2400-49-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

test.exeFile.exe

pid process

2736 test.exe
2728 File.exe
2736 test.exe
2728 File.exe
2736 test.exe
2728 File.exe
2736 test.exe
2728 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2736 test.exe
Token: SeDebugPrivilege 2728 File.exe

pid	process
2736	test.exe
2728	File.exe
2736	test.exe
2728	File.exe
2736	test.exe
2728	File.exe
2736	test.exe
2728	File.exe

description	pid	process
Token: SeDebugPrivilege	2736	test.exe
Token: SeDebugPrivilege	2728	File.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

629151c519ea438d8c8f1123eb71e751.execmd.exetest.exeFile.execmd.execmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 3068	2400	629151c519ea438d8c8f1123eb71e751.exe	cmd.exe
PID 2400 wrote to memory of 3068	2400	629151c519ea438d8c8f1123eb71e751.exe	cmd.exe
PID 2400 wrote to memory of 3068	2400	629151c519ea438d8c8f1123eb71e751.exe	cmd.exe
PID 2400 wrote to memory of 3068	2400	629151c519ea438d8c8f1123eb71e751.exe	cmd.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	test.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	test.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	test.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	test.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	test.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	test.exe
PID 3068 wrote to memory of 2736	3068	cmd.exe	test.exe
PID 2736 wrote to memory of 2728	2736	test.exe	File.exe
PID 2736 wrote to memory of 2728	2736	test.exe	File.exe
PID 2736 wrote to memory of 2728	2736	test.exe	File.exe
PID 2736 wrote to memory of 2728	2736	test.exe	File.exe
PID 2736 wrote to memory of 2728	2736	test.exe	File.exe
PID 2736 wrote to memory of 2728	2736	test.exe	File.exe
PID 2736 wrote to memory of 2728	2736	test.exe	File.exe
PID 2728 wrote to memory of 2692	2728	File.exe	tmp.exe
PID 2728 wrote to memory of 2692	2728	File.exe	tmp.exe
PID 2728 wrote to memory of 2692	2728	File.exe	tmp.exe
PID 2728 wrote to memory of 2692	2728	File.exe	tmp.exe
PID 2736 wrote to memory of 2560	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 2560	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 2560	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 2560	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 2952	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 2952	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 2952	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 2952	2736	test.exe	cmd.exe
PID 2728 wrote to memory of 1440	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 1440	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 1440	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 1440	2728	File.exe	cmd.exe
PID 2952 wrote to memory of 1532	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 1532	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 1532	2952	cmd.exe	reg.exe
PID 2952 wrote to memory of 1532	2952	cmd.exe	reg.exe
PID 2728 wrote to memory of 1252	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 1252	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 1252	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 1252	2728	File.exe	cmd.exe
PID 1252 wrote to memory of 2760	1252	cmd.exe	reg.exe
PID 1252 wrote to memory of 2760	1252	cmd.exe	reg.exe
PID 1252 wrote to memory of 2760	1252	cmd.exe	reg.exe
PID 1252 wrote to memory of 2760	1252	cmd.exe	reg.exe
PID 2736 wrote to memory of 296	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 296	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 296	2736	test.exe	cmd.exe
PID 2736 wrote to memory of 296	2736	test.exe	cmd.exe
PID 2728 wrote to memory of 2448	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 2448	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 2448	2728	File.exe	cmd.exe
PID 2728 wrote to memory of 2448	2728	File.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe
"C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c test.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
5⤵
- NTFS ADS
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
5⤵
PID:1440

C:\Users\Admin\AppData\Roaming\tmp.exe
"C:\Users\Admin\AppData\Roaming\tmp.exe"
5⤵
- Executes dropped EXE
PID:2692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
5⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
4⤵
- NTFS ADS
PID:296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
4⤵
PID:2560

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
154KB

MD5
4efeab242d270c008186cbcf32510981

SHA1
3e2eaa76641e4ed0b9f2c9a5a5f25608849c899c

SHA256
26805a2fa33fa59b198874a562f8d0ef0b1708a1e01f63c53d8ae4af6e044af7

SHA512
13bee683966186a899bb411ee09e5e7b46db56affae7aa59ecde1c594a4d459dba1f466176639aa0200f8f310a1a1f4387819c61b8e4aef4c49781e9826a12b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
201KB

MD5
f9541d363fe357fc8f4a8994759bb17a

SHA1
bb1e10f49ea07d3eb7a384169e830bea4ed31e37

SHA256
64a868ec69da470ea50e7828db3f2265909a5d926b5897f22b0eafbba0a7a1e4

SHA512
efae193077a87e8f9cbafeae4b19a5607f17e8b9003c4cff7d8b5e5ea38ba9b0f54341fa998ce8bafee43b89fdc0192da3da3a9ffed55a315361f55e3640aa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
947B

MD5
386f9cfd5d79d37525dec6a4a5fe03ef

SHA1
fcfdd69029f9eb6abb9a0c94d8d26951f93f9a3f

SHA256
32603ad059556d63f968f1558e3fcd383cb89aaca9f886f7bee995b3752184c6

SHA512
cd00e9d4d455ba526fabe7bf6561461120a362ebed5ee55e053fdd907de44111c0f35a092d9ea82ce57975335af653004590441852e31928d074c318a2737308

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier

Filesize
27B

MD5
130a75a932a2fe57bfea6a65b88da8f6

SHA1
b66d7530d150d45c0a390bb3c2cd4ca4fc404d1c

SHA256
f2b79cae559d6772afc1c2ed9468988178f8b6833d5028a15dea73ce47d0196e

SHA512
6cd147c6f3af95803b7b0898e97ec2ed374c1f56a487b50e3d22003a67cec26a6fa12a3920b1b5624bde156f9601469ae3c7b7354fa8cf37be76c84121767eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
649KB

MD5
773d26c92008e9134317166ac2d2b57b

SHA1
47ae9cfed67800e9076020806cb15eeecdf821b4

SHA256
e9bcb3fb10d9378e3580dd870c5498d422ac56bf08dae49bda0116daab9a8e15

SHA512
717d06755530b8fdd79a840f1174bd6a8055258911d19ca39974b2673edd5eea4fbb60814e4d3c4a32137a10ce1e980cc23c0509d065d895385428a919a8d602

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
438KB

MD5
14187ab92edd9473119054aab4a53e10

SHA1
6a17c85c15355daf9a9e8cb35ff3610d85545ee7

SHA256
08564c21c339d5fd7f46109ed56589ab657858b09d18e76d21b49ec4a5e1afea

SHA512
d7ae8c12cfe76fe86b6d022689f001d173cc7b6abdceb3c3ab1f5e88906edb1036a7255c3b354714ecf5deb8bee45ff54afb9a5652dcd8163b7ab2d11265054b

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
256KB

MD5
89c4e3e78187cc240982ec70f69d7931

SHA1
6520ceb8c1a8ab02b961741208165e3d6478d3f0

SHA256
b0a3778ba98201926d4b606dfa35a7f9fa908ef82145d3652ba3b62154385a98

SHA512
ae1ef9cad44da552208c11b842a38a3f039c6f71bfceea38096b769902156bc11adbfac5ae7705901fc5a8c1352e9b214d50fe80b4c737e5f995eaf61a75ad59

Download Submit
\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
342KB

MD5
37c82e15058e2f8f5e9525b956e6440d

SHA1
3bf20d00bd7a7943c4066d534f5b276cac5ae39f

SHA256
80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7

SHA512
5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

Filesize
374KB

MD5
136c2ff4efeb69a93128f465bc4a5108

SHA1
ffd18de587f67e973798f802dcc12023fce2d26f

SHA256
86ec4be4241a903c193282005c9b9f6ae7a63c3da591d953371b3a17671d6392

SHA512
f2e56da29b22fce1b2632ccb3764f4f9a3dda79eb1b01178bc09b00a8d97ea05dd5b6668eb2d63570cae7be94d314ebace02c89af58a1528b6896e763e28365c

Download Submit
memory/2400-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2400-46-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2400-49-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2692-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-18-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-17-0x00000000004C0000-0x00000000004E4000-memory.dmp

Filesize
144KB

Download
memory/2728-19-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2728-16-0x0000000000BD0000-0x0000000000C2C000-memory.dmp

Filesize
368KB

Download
memory/2728-48-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2736-8-0x0000000000C70000-0x0000000000CF6000-memory.dmp

Filesize
536KB

Download
memory/2736-7-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/2736-5-0x0000000001030000-0x000000000111E000-memory.dmp

Filesize
952KB

Download
memory/2736-47-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download
memory/2736-6-0x0000000074930000-0x000000007501E000-memory.dmp

Filesize
6.9MB

Download