azorult | d4972e632408d130ac20c21fff113636a07cee0fbb133c713222167e37a661a0

General

Target

b27a73bf37f9c4cc6cb15cc2c33e1437.exe
Size

2.3MB
MD5

b27a73bf37f9c4cc6cb15cc2c33e1437
SHA1

ed7e3fcec25ff46faa34761fffeffa386efd4963
SHA256

d4972e632408d130ac20c21fff113636a07cee0fbb133c713222167e37a661a0
SHA512

52cb00876258331053e8a16de27f527a2f7e1d616eef32ef6182b2804d56f2d52eaf4f13cc22819b48ae08b7df1346fbd81635cbe53965a06b94f4775c97c6d3
SSDEEP

49152:N62yDTxuClGJWEszfqA1SC2x608BpRheHVr5K7IRQXv:kxfGcESb1ScPRh2tK7O6v

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://ziz.zzz.com.ua/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Executes dropped EXE 3 IoCs

Processes:

setup.exeCenterUpdater.exesetup.exe

pid process

2580 setup.exe
2660 CenterUpdater.exe
2452 setup.exe

pid	process
2580	setup.exe
2660	CenterUpdater.exe
2452	setup.exe

Loads dropped DLL 9 IoCs

Processes:

b27a73bf37f9c4cc6cb15cc2c33e1437.exesetup.exe

pid	process
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe
2580	setup.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\setup.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

setup.exe

description pid process target process

PID 2580 set thread context of 2452 2580 setup.exe setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

setup.exe

pid process

2580 setup.exe
2580 setup.exe
2580 setup.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

setup.exe

pid process

2580 setup.exe
2580 setup.exe
2580 setup.exe

description	pid	process	target process
PID 2580 set thread context of 2452	2580	setup.exe	setup.exe

pid	process
2580	setup.exe
2580	setup.exe
2580	setup.exe

pid	process
2580	setup.exe
2580	setup.exe
2580	setup.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b27a73bf37f9c4cc6cb15cc2c33e1437.exesetup.exe

description	pid	process	target process
PID 2096 wrote to memory of 2580	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 2096 wrote to memory of 2580	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 2096 wrote to memory of 2580	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 2096 wrote to memory of 2580	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 2096 wrote to memory of 2580	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 2096 wrote to memory of 2580	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 2096 wrote to memory of 2580	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 2096 wrote to memory of 2660	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2096 wrote to memory of 2660	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2096 wrote to memory of 2660	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2096 wrote to memory of 2660	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2096 wrote to memory of 2660	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2096 wrote to memory of 2660	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2096 wrote to memory of 2660	2096	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe
PID 2580 wrote to memory of 2452	2580	setup.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\b27a73bf37f9c4cc6cb15cc2c33e1437.exe
"C:\Users\Admin\AppData\Local\Temp\b27a73bf37f9c4cc6cb15cc2c33e1437.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2452
- C:\Users\Admin\AppData\Local\Temp\CenterUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\CenterUpdater.exe"
  2⤵
  - Executes dropped EXE
  PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CenterUpdater.exe

Filesize
3.8MB

MD5
347d054ab5b4ec0bf4d22a7021a6bf86

SHA1
b2963cea83fe884dac1b901097a8a9fa01b9b256

SHA256
0ab791d7e54807745a5f59cde94946a9522f7853811d27b3977d47bfaab06072

SHA512
2b42602ec509a79124efae7d0aa67dccb434827faf6a4489b1d059c68e30bbb069052759c0ec200c18a3bde92cee27892478804835b5560109b17696b5ed6d0d

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
1.4MB

MD5
3a1e5f74e0d70bf0ec8439fffbf0bb22

SHA1
a685b6952fb1a3477b39eb404ce0b5477c7c2c37

SHA256
abefceafcf523eefa54d0dcbf7911bd1d1e4245d223ed43297a862b3d0d78a90

SHA512
d0e17e1c48b411370413a417efe573d0586d173893898133802cb3092dc4df764d3f2ea9e848d5272e8bb8cdbe8a1e74fd864863931165993c2d9989e7de4a33

Download Submit
memory/2452-33-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2452-36-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2452-42-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-47-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/2580-34-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2660-31-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2660-48-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/2660-50-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads