azorult | c74313aab2a5ab68bd3645525e6a2187d20281b8874edecbbdcc8f9ebcb97fed

Analysis

max time kernel
140s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

799667af57a95a533d10863a658c30bb.exe
Size

688KB
MD5

799667af57a95a533d10863a658c30bb
SHA1

952615061f288c135f73c7d25cf4f1f10217b7a8
SHA256

c74313aab2a5ab68bd3645525e6a2187d20281b8874edecbbdcc8f9ebcb97fed
SHA512

6a215ba28aff45d85e83e7935d37786839c0cd495583ce9150ddd5bc4266e62a4daef299aedd7880952562b1e596999fc6cb1f079258420e83ac2fd9907cb6ef
SSDEEP

12288:9Qnk3GDYKGcblfxTLWFNThvEjjZobhBrLq8PlCIur/xg4nAOoW6n0zi:HAOcZZTLWvNkenrLqF/n760zi

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 1 IoCs

Processes:

Magnum.exe

pid process

2552 Magnum.exe

pid	process
2552	Magnum.exe

Loads dropped DLL 8 IoCs

Processes:

799667af57a95a533d10863a658c30bb.exeWerFault.exe

pid	process
2372	799667af57a95a533d10863a658c30bb.exe
2372	799667af57a95a533d10863a658c30bb.exe
2372	799667af57a95a533d10863a658c30bb.exe
2372	799667af57a95a533d10863a658c30bb.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe
1096	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1096 2552 WerFault.exe Magnum.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1260 DllHost.exe

pid	pid_target	process	target process
1096	2552	WerFault.exe	Magnum.exe

pid	process
1260	DllHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

799667af57a95a533d10863a658c30bb.exeMagnum.exe

description	pid	process	target process
PID 2372 wrote to memory of 2552	2372	799667af57a95a533d10863a658c30bb.exe	Magnum.exe
PID 2372 wrote to memory of 2552	2372	799667af57a95a533d10863a658c30bb.exe	Magnum.exe
PID 2372 wrote to memory of 2552	2372	799667af57a95a533d10863a658c30bb.exe	Magnum.exe
PID 2372 wrote to memory of 2552	2372	799667af57a95a533d10863a658c30bb.exe	Magnum.exe
PID 2552 wrote to memory of 1096	2552	Magnum.exe	WerFault.exe
PID 2552 wrote to memory of 1096	2552	Magnum.exe	WerFault.exe
PID 2552 wrote to memory of 1096	2552	Magnum.exe	WerFault.exe
PID 2552 wrote to memory of 1096	2552	Magnum.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\799667af57a95a533d10863a658c30bb.exe
"C:\Users\Admin\AppData\Local\Temp\799667af57a95a533d10863a658c30bb.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Magnum.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Magnum.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 764
3⤵
- Loads dropped DLL
- Program crash
PID:1096

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\exe.png

Filesize
192KB

MD5
072f2309e2957f39d88744e27d833dae

SHA1
285b92a9fd4800aa72672f1ccd0674d86754f431

SHA256
c9176035801b34d756f173b5da1499f1e55020650cad64716996b06ab63e5208

SHA512
cc40f628aefa300a4aa356f2f496ea62aac6d54ea8a94f8b367ae8e726cf5129c1ebeeb5c1d078e3c08d4c87ae160afea94c53e45c8e75afb89500651a4c81e5

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Magnum.exe

Filesize
34KB

MD5
4b3f2561840c2b4194ea50b7d6ff6d37

SHA1
2d8dc8e65dfa1c52cecfb3920949442900ca3ab9

SHA256
e0567dce1c6a6178519559ffaa15b21029a1319638cc68e2f91f89f5da3ca43a

SHA512
85b9854c495267a35769b5f96a1fef5e04070839ef205a16ea8d51b0f371ff98f15a4efff986d7a0fd670340f973006afced0644fb9726f7244218a08874430e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Magnum.exe

Filesize
112KB

MD5
6f5a20615232c0c07dc0ca5341432cf2

SHA1
03633cc8adb14d5c9705a37bb7776a754038c459

SHA256
25755846445d7441fd09bd51f2dc59eed673b71c9744b7ecb9a0c14f655a02a9

SHA512
c8cabd720226f37322d9620bbb8697c2ddc672dc80f2b9186c5a89ba26f9714689891e778987d232f6338d35f6db126eae08deb63a35b3a064aca6c4aacbf7c0

Download Submit
memory/1260-7-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1260-8-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1260-30-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2372-6-0x0000000002460000-0x0000000002462000-memory.dmp

Filesize
8KB

Download
memory/2552-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download