azorult | b32d33a5000986d02db5ef08b47d33dd32c208c8fcd328c14f29798838f8c000

Analysis

max time kernel
90s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
Size

876KB
MD5

8925082557f9ff4e72f7dc0bd2ee0c9c
SHA1

056d1a930e31e5ce58d836b827d203d9fe60af2a
SHA256

8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4
SHA512

7a807cb16f029ee13e5bef886bbdaaff343ffb7e9def24e6a5b053d2235719cefaf6aa742d2af5d9200cbc3407cc445a0e12f08c63f62dff73bc25b06cd2493e
SSDEEP

12288:5XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXV:8sGRdrEAbm4zesGRdrEAbm4zMX06eyM

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://cafirepacks.com/pub/fon/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

Processes:

8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

description	pid	process	target process
PID 3612 set thread context of 4980	3612	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4936 4980 WerFault.exe 8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

pid	pid_target	process	target process
4936	4980	WerFault.exe	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

pid	process
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
4980	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

pid process

3612 8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

pid process

3612 8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

pid	process
3612	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

pid	process
3612	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

description	pid	process	target process
PID 3612 wrote to memory of 4980	3612	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
PID 3612 wrote to memory of 4980	3612	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
PID 3612 wrote to memory of 4980	3612	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
PID 3612 wrote to memory of 4980	3612	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe	8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe

C:\Users\Admin\AppData\Local\Temp\8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
"C:\Users\Admin\AppData\Local\Temp\8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe
  "C:\Users\Admin\AppData\Local\Temp\8e717d95d5e1039d3effeebbc38bf00facd5ced07e9c40c5c37b32a11026d0c4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 960
    3⤵
    - Program crash
    PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 4980
1⤵
PID:4808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3612-50-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-73-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-11-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-12-0x0000000074BC0000-0x0000000074D1D000-memory.dmp

Filesize
1.4MB

Download
memory/3612-14-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-18-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-17-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-21-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3612-23-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-25-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-27-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-29-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3612-31-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-32-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3612-34-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3612-36-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-38-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-42-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-40-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-43-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-44-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-46-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-48-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-53-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-2-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/3612-51-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-52-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-49-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3612-4-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/3612-45-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-69-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-72-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3612-75-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-76-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-82-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-84-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-87-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-86-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-85-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/3612-83-0x0000000074BC0000-0x0000000074D1D000-memory.dmp

Filesize
1.4MB

Download
memory/3612-81-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-79-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/3612-67-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-71-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/3612-47-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/4980-88-0x0000000076F72000-0x0000000076F73000-memory.dmp

Filesize
4KB

Download
memory/4980-78-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4980-89-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4980-90-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/4980-74-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4980-91-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4980-92-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/4980-93-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download