azorult | 902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 19:53

Target

78403b3c4175178c7984db73cc7945d5.exe
Size

319KB
MD5

78403b3c4175178c7984db73cc7945d5
SHA1

bdffc6c6bd6aff8bb80b411f73d03bde1cd336ed
SHA256

902915735433450152149d1be3053f4a30ad6374199cd3499c2272e58e4f0ce8
SHA512

d78dafbddf77d8cbcbce8e6b6196afa0b65be005381ecd5db8fc91f659bd6b130ab2613e9bb9d2ded66d0c5b692eea28eed6d74d88a218528a7df51630bd5c31
SSDEEP

6144:gxtvJ/xaqBuFUc6ANnxoT9jqjATdz6j+qlYcs4OxM4vbPf4J:gjFxa3t6jT56KRRzv

Score

10^/10

Family

azorult

https://updserv.ga/Panel/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4312-7-0x0000000005200000-0x0000000005216000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

78403b3c4175178c7984db73cc7945d5.exe

description pid process target process

PID 4312 set thread context of 1612 4312 78403b3c4175178c7984db73cc7945d5.exe 78403b3c4175178c7984db73cc7945d5.exe

description	pid	process	target process
PID 4312 set thread context of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

78403b3c4175178c7984db73cc7945d5.exe

description	pid	process	target process
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe
PID 4312 wrote to memory of 1612	4312	78403b3c4175178c7984db73cc7945d5.exe	78403b3c4175178c7984db73cc7945d5.exe

C:\Users\Admin\AppData\Local\Temp\78403b3c4175178c7984db73cc7945d5.exe
"C:\Users\Admin\AppData\Local\Temp\78403b3c4175178c7984db73cc7945d5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\78403b3c4175178c7984db73cc7945d5.exe
  "C:\Users\Admin\AppData\Local\Temp\78403b3c4175178c7984db73cc7945d5.exe"
  2⤵
  PID:1612

memory/1612-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1612-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1612-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1612-11-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4312-3-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/4312-4-0x0000000005090000-0x00000000050DC000-memory.dmp

Filesize
304KB

Download
memory/4312-6-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4312-7-0x0000000005200000-0x0000000005216000-memory.dmp

Filesize
88KB

Download
memory/4312-5-0x00000000052A0000-0x000000000533C000-memory.dmp

Filesize
624KB

Download
memory/4312-0-0x00000000006C0000-0x0000000000716000-memory.dmp

Filesize
344KB

Download
memory/4312-12-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download
memory/4312-2-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/4312-1-0x00000000745F0000-0x0000000074DA0000-memory.dmp

Filesize
7.7MB

Download