azorult | a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
Size

5.0MB
MD5

2945861a5c63dc8c370c2a871c0c068d
SHA1

bd65f9b62ac12d0fe7247da40e2e8cc8d961ea82
SHA256

a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de
SHA512

d6f9a43a763ee2a7be278c3e78499a397c2138fa2a029ba2d79e28fcd8098011625c9e1ffb921b98aaca96685cf888a3b910d50cc7e1aefe82011855c46b1afa
SSDEEP

98304:Ulcuil93rmV8VRpI4hIbl1xdeH7HxLj02pckA0nUe:wxij889UbHxkDxLj02pckp

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://51.75.24.146/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detects executables packed with Enigma 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4344-27-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-38-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-49-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-52-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-54-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-56-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-58-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-60-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-63-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-65-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-67-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-69-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-71-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-73-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-75-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-77-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-79-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-81-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-98-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-100-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-108-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-109-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma
behavioral2/memory/4344-118-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Enigma

Detects packed executables observed in Molerats 23 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4344-27-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-38-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-49-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-52-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-54-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-56-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-58-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-60-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-63-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-65-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-67-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-69-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-71-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-73-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-75-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-77-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-79-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-81-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-98-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-100-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-108-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-109-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader
behavioral2/memory/4344-118-0x0000000000400000-0x000000000080D000-memory.dmp	INDICATOR_EXE_Packed_Loader

Loads dropped DLL 1 IoCs

Processes:

a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

pid process

4344 a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

pid	process
4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

description	pid	process
Token: 33	4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
Token: SeIncBasePriorityPrivilege	4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
Token: 33	4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
Token: SeIncBasePriorityPrivilege	4344	a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

pid process

4344 a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

pid process

4344 a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe

C:\Users\Admin\AppData\Local\Temp\a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe
"C:\Users\Admin\AppData\Local\Temp\a9c8ae35d012a04266e31d26bfbf42cce383ba516146e181d5ac8d8957be71de.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:4344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SPOON\CACHE\0x96CB499D019BA9E3\sxs\Manifests\333355.exe_0x83175340d49e5e191208873df2f62453.1.manifest

Filesize
379B

MD5
73102579f0cc3777bdd0ba96bab8d6f4

SHA1
08512e731aed9cdfeebf2e8fdc24a35ea23e3477

SHA256
03c937a5aba7fd7eab8ae959606ea4598e474da06b7ec63701255e7325a9e435

SHA512
e3928e509d852ae8f62b6378f984013345ddff9f5073e77323703acf20ca44bebff1753f09e7343cd948559bcafe766edce38e767efc5e7e7a5fd42c37be2e13

Download Submit
C:\Users\Admin\AppData\Local\Turbo.net\Sandbox\Wise Data Recovery \4.0.7 \local\temp\4344_00400000_tls.dll

Filesize
1024B

MD5
59544b3b6e3b094d61db637696500785

SHA1
032f018879f7f0cee15270d31fc2ec85e5e070ea

SHA256
14271bfdfd99fc5860a941e7d4b36660e1adad88c38115b3c2b2069cfcf07d87

SHA512
aa0f3d56fc2eab6753211614971e882de0bdd097011fe08f76ff0edd9edb02b559b04580f2b109c5cc9b5cc63286dc18c642b709f83dcde6055e1fa077f49636

Download Submit
C:\Users\Admin\AppData\Local\Turbo.net\Sandbox\Wise Data Recovery \4.0.7 \xsandbox.bin

Filesize
16B

MD5
ec3d19e8e9b05d025cb56c2a98ead8e7

SHA1
748532edeb86496c8efe5e2327501d89ec1f13df

SHA256
edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4

SHA512
175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349

Download Submit
memory/4344-1-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-6-0x0000000077D83000-0x0000000077D84000-memory.dmp

Filesize
4KB

Download
memory/4344-7-0x0000000077D82000-0x0000000077D83000-memory.dmp

Filesize
4KB

Download
memory/4344-8-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4344-9-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-10-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-11-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-12-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-13-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-14-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-15-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-16-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-18-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-19-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/4344-24-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/4344-25-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/4344-26-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/4344-27-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-38-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-49-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-50-0x0000000075420000-0x0000000075422000-memory.dmp

Filesize
8KB

Download
memory/4344-52-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-54-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-56-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-58-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-60-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-62-0x0000000010000000-0x0000000010099000-memory.dmp

Filesize
612KB

Download
memory/4344-63-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-65-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-67-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-69-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-71-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-73-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-75-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-77-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-79-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-81-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-98-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-100-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-104-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-106-0x0000000077D82000-0x0000000077D83000-memory.dmp

Filesize
4KB

Download
memory/4344-105-0x0000000077D83000-0x0000000077D84000-memory.dmp

Filesize
4KB

Download
memory/4344-107-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4344-108-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-109-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download
memory/4344-117-0x0000000001030000-0x00000000014B5000-memory.dmp

Filesize
4.5MB

Download
memory/4344-118-0x0000000000400000-0x000000000080D000-memory.dmp

Filesize
4.1MB

Download