azorult | d4972e632408d130ac20c21fff113636a07cee0fbb133c713222167e37a661a0

General

Target

b27a73bf37f9c4cc6cb15cc2c33e1437.exe
Size

2.3MB
MD5

b27a73bf37f9c4cc6cb15cc2c33e1437
SHA1

ed7e3fcec25ff46faa34761fffeffa386efd4963
SHA256

d4972e632408d130ac20c21fff113636a07cee0fbb133c713222167e37a661a0
SHA512

52cb00876258331053e8a16de27f527a2f7e1d616eef32ef6182b2804d56f2d52eaf4f13cc22819b48ae08b7df1346fbd81635cbe53965a06b94f4775c97c6d3
SSDEEP

49152:N62yDTxuClGJWEszfqA1SC2x608BpRheHVr5K7IRQXv:kxfGcESb1ScPRh2tK7O6v

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://ziz.zzz.com.ua/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b27a73bf37f9c4cc6cb15cc2c33e1437.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	b27a73bf37f9c4cc6cb15cc2c33e1437.exe

Executes dropped EXE 3 IoCs

Processes:

setup.exeCenterUpdater.exesetup.exe

pid process

2656 setup.exe
4696 CenterUpdater.exe
716 setup.exe

pid	process
2656	setup.exe
4696	CenterUpdater.exe
716	setup.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\setup.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

setup.exe

description pid process target process

PID 2656 set thread context of 716 2656 setup.exe setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

setup.exe

pid process

2656 setup.exe
2656 setup.exe
2656 setup.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

setup.exe

pid process

2656 setup.exe
2656 setup.exe
2656 setup.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

CenterUpdater.exe

pid process

4696 CenterUpdater.exe

description	pid	process	target process
PID 2656 set thread context of 716	2656	setup.exe	setup.exe

pid	process
2656	setup.exe
2656	setup.exe
2656	setup.exe

pid	process
2656	setup.exe
2656	setup.exe
2656	setup.exe

pid	process
4696	CenterUpdater.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

b27a73bf37f9c4cc6cb15cc2c33e1437.exesetup.exe

description	pid	process	target process
PID 4804 wrote to memory of 2656	4804	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 4804 wrote to memory of 2656	4804	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 4804 wrote to memory of 2656	4804	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	setup.exe
PID 4804 wrote to memory of 4696	4804	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 4804 wrote to memory of 4696	4804	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 4804 wrote to memory of 4696	4804	b27a73bf37f9c4cc6cb15cc2c33e1437.exe	CenterUpdater.exe
PID 2656 wrote to memory of 716	2656	setup.exe	setup.exe
PID 2656 wrote to memory of 716	2656	setup.exe	setup.exe
PID 2656 wrote to memory of 716	2656	setup.exe	setup.exe
PID 2656 wrote to memory of 716	2656	setup.exe	setup.exe
PID 2656 wrote to memory of 716	2656	setup.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\b27a73bf37f9c4cc6cb15cc2c33e1437.exe
"C:\Users\Admin\AppData\Local\Temp\b27a73bf37f9c4cc6cb15cc2c33e1437.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Executes dropped EXE
PID:716

C:\Users\Admin\AppData\Local\Temp\CenterUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\CenterUpdater.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CenterUpdater.exe
Filesize
2.6MB

MD5
0e74dd1117db596c6aca3ced4d40537c

SHA1
409285302fe3280cf1fac00236d1de1269380844

SHA256
937f98c8f53538e951eb9875daea08a5509e82fb713edfec2d7f5823f2da917f

SHA512
44878c70c3394a09a58cead0ad20dbe8f01e2a0806ebe3ee1fb45c72b85e7418961fb059d44ef3db74b6cc889a374632bf3cef514a1139e67859c8b39fe48a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CenterUpdater.exe
Filesize
2.8MB

MD5
f46ec9f681251887794e4293207495b8

SHA1
93e86b1e6232bfc0bb4dc2c5368386c5d3a754fc

SHA256
ab0c9c27d58374df2d1287da9f227d5872ce7282a8df1a956bfe2c8335f4d4cf

SHA512
0b54619de5a550e33d6eefa55572e6bed8a26e3f48cf6fe5e2a2a520d515840e09f6448119a38602d55485ea04a8fad27db9fcf6af73146a74daca7c49fb71f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CenterUpdater.exe
Filesize
3.7MB

MD5
dcb3c21a704a3b8e9a48260c28d73538

SHA1
da7fa15309155bc76a4848675978641e74573671

SHA256
2262293d46ebc60e40f4aca9fce07e5120ecc54f10b08d16751e8f6eb6f32cc1

SHA512
1ad3bac98da73431ccd7d4f220cc94611234a3c0d005c39ede16ec196dc509fa6e44641f564fdb118136cf9a341482a803b10447df8fc657debb0e8e7bc95e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
1.4MB

MD5
3a1e5f74e0d70bf0ec8439fffbf0bb22

SHA1
a685b6952fb1a3477b39eb404ce0b5477c7c2c37

SHA256
abefceafcf523eefa54d0dcbf7911bd1d1e4245d223ed43297a862b3d0d78a90

SHA512
d0e17e1c48b411370413a417efe573d0586d173893898133802cb3092dc4df764d3f2ea9e848d5272e8bb8cdbe8a1e74fd864863931165993c2d9989e7de4a33

Download Submit
memory/716-26-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download
memory/716-35-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download
memory/2656-25-0x00000000013F0000-0x00000000013F1000-memory.dmp

Filesize
4KB

Download
memory/4696-24-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/4696-36-0x0000000000400000-0x00000000007E5000-memory.dmp

Filesize
3.9MB

Download
memory/4696-38-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads