azorult | 20ab52e4380262d3d83ddf0898b715d72d1feca497c566bfb952824cd6c76bc1

General

Target

8791a2b797c21d7830ea9ac9a8a5a5bd.exe
Size

1.2MB
MD5

8791a2b797c21d7830ea9ac9a8a5a5bd
SHA1

64fb146114087b4bcc1fa0ca069bd936bfd81d8e
SHA256

20ab52e4380262d3d83ddf0898b715d72d1feca497c566bfb952824cd6c76bc1
SHA512

438e530e8481b530318498157627dd594b84e88e689c7409e76fef84175906d62e2d900492beb1f0c94ad8a2d0a4b9ed47e2b93b8a27d2ef74e555cfd7caba51
SSDEEP

24576:ydOsBgo0q4wM1BmCmTOUd+L6kbXWi3vEA4r6nNd86:y8oHMDmCm6Ud+zbXt3vs6nz8

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://37.0.10.25/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/836-3-0x00000000003A0000-0x00000000003B2000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

8791a2b797c21d7830ea9ac9a8a5a5bd.exe

description pid process target process

PID 836 set thread context of 2712 836 8791a2b797c21d7830ea9ac9a8a5a5bd.exe 8791a2b797c21d7830ea9ac9a8a5a5bd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2816 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8791a2b797c21d7830ea9ac9a8a5a5bd.exe

pid process

836 8791a2b797c21d7830ea9ac9a8a5a5bd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

8791a2b797c21d7830ea9ac9a8a5a5bd.exe

description pid process

Token: SeDebugPrivilege 836 8791a2b797c21d7830ea9ac9a8a5a5bd.exe

description	pid	process	target process
PID 836 set thread context of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe

pid	process
2816	schtasks.exe

pid	process
836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe

description	pid	process
Token: SeDebugPrivilege	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

8791a2b797c21d7830ea9ac9a8a5a5bd.exe

description	pid	process	target process
PID 836 wrote to memory of 2816	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	schtasks.exe
PID 836 wrote to memory of 2816	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	schtasks.exe
PID 836 wrote to memory of 2816	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	schtasks.exe
PID 836 wrote to memory of 2816	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	schtasks.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe
PID 836 wrote to memory of 2712	836	8791a2b797c21d7830ea9ac9a8a5a5bd.exe	8791a2b797c21d7830ea9ac9a8a5a5bd.exe

C:\Users\Admin\AppData\Local\Temp\8791a2b797c21d7830ea9ac9a8a5a5bd.exe
"C:\Users\Admin\AppData\Local\Temp\8791a2b797c21d7830ea9ac9a8a5a5bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BzuuSqB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB54B.tmp"
2⤵
- Creates scheduled task(s)
PID:2816

C:\Users\Admin\AppData\Local\Temp\8791a2b797c21d7830ea9ac9a8a5a5bd.exe
"C:\Users\Admin\AppData\Local\Temp\8791a2b797c21d7830ea9ac9a8a5a5bd.exe"
2⤵
PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB54B.tmp
Filesize
1KB

MD5
8179974a76b56bb5e03413a14a711639

SHA1
419a76809c8e64349545237dfe14f7f71aa2813e

SHA256
4b755f4f7e3e6deecd9d0833a821e93df9fb400517aed353fd0168f36d0db12b

SHA512
e05c4d04a3c3c9094d988ffd87ee1adf93a4699f09d6332ccb7107932c1daad79b11764f7e0e37bef0ac85450e51f5d39a5358337712dff2b958d2e4eda791bd

Download Submit
memory/836-0-0x00000000010C0000-0x00000000011F0000-memory.dmp

Filesize
1.2MB

Download
memory/836-1-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/836-2-0x0000000004F70000-0x0000000004FB0000-memory.dmp

Filesize
256KB

Download
memory/836-3-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/836-4-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/836-5-0x0000000004F70000-0x0000000004FB0000-memory.dmp

Filesize
256KB

Download
memory/836-6-0x0000000004940000-0x00000000049AE000-memory.dmp

Filesize
440KB

Download
memory/836-7-0x00000000009B0000-0x00000000009D8000-memory.dmp

Filesize
160KB

Download
memory/836-29-0x0000000074440000-0x0000000074B2E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-17-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-28-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2712-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads