azorult | b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857

General

Target

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
Size

414KB
MD5

ce717ce09f6aeaaab7d13f2f1b49fe85
SHA1

55fecd0b70fdee09035105c3dda1d6dd987e61d6
SHA256

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857
SHA512

d4e37f82cec810c5c4ea651b63e871b5ce40acd7b74f3a956f4e2d29356493d195dcea634b946509330f1d415168e0761a7597d9909a9d5e0a49d961ed9a3694
SSDEEP

6144:L4t6Lsvq5WSBHh/5cK/vBHc2Z1qkyi9lscIKAhDG4TXAog6cjmSlJej:LkvqcSBHh/5zRHBgkyrKAv5pcCoJk

Score

10^/10

azorult guloader downloader infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 4 IoCs

Processes:

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

pid	process
4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

pid process

3176 b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

pid	process
3176	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exeb09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

pid	process
4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
3176	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

description	pid	process	target process
PID 4480 set thread context of 3176	4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

pid process

4480 b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

description	pid	process	target process
PID 4480 wrote to memory of 3176	4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
PID 4480 wrote to memory of 3176	4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
PID 4480 wrote to memory of 3176	4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
PID 4480 wrote to memory of 3176	4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
PID 4480 wrote to memory of 3176	4480	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe	b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe

C:\Users\Admin\AppData\Local\Temp\b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
"C:\Users\Admin\AppData\Local\Temp\b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe
"C:\Users\Admin\AppData\Local\Temp\b09c72bf641ac0a02873bc9621c4985b6f9d08f41de614e33b79b91bf1f6c857.exe"
2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsf1EA0.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf1EA0.tmp\nsDialogs.dll

Filesize
9KB

MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf1EA0.tmp\nsExec.dll

Filesize
6KB

MD5
b55f7f1b17c39018910c23108f929082

SHA1
1601f1cc0d0d6bcf35799b7cd15550cd01556172

SHA256
c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7

SHA512
d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa

Download Submit
memory/3176-31-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3176-26-0x0000000001700000-0x00000000049C9000-memory.dmp

Filesize
50.8MB

Download
memory/3176-27-0x0000000077948000-0x0000000077949000-memory.dmp

Filesize
4KB

Download
memory/3176-28-0x0000000077965000-0x0000000077966000-memory.dmp

Filesize
4KB

Download
memory/3176-29-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3176-30-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/3176-32-0x00000000004A0000-0x00000000016F4000-memory.dmp

Filesize
18.3MB

Download
memory/3176-34-0x0000000001700000-0x00000000049C9000-memory.dmp

Filesize
50.8MB

Download
memory/3176-33-0x00000000778C1000-0x00000000779E1000-memory.dmp

Filesize
1.1MB

Download
memory/4480-23-0x0000000005270000-0x0000000008539000-memory.dmp

Filesize
50.8MB

Download
memory/4480-24-0x00000000778C1000-0x00000000779E1000-memory.dmp

Filesize
1.1MB

Download
memory/4480-25-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/4480-22-0x0000000005270000-0x0000000008539000-memory.dmp

Filesize
50.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads