azorult | bdd500e8d7fadf83d80b3e1e6affbf60af92dff9d0b902b353e6ddad657445da

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 10:04

Target

cb1fef1a16b7fc3851b569ffb51e17d9.exe
Size

353KB
MD5

cb1fef1a16b7fc3851b569ffb51e17d9
SHA1

00373b44ad8558dd23832f3aba6b031acbad706e
SHA256

bdd500e8d7fadf83d80b3e1e6affbf60af92dff9d0b902b353e6ddad657445da
SHA512

0e1650bc41854d87dbef66870e300b52b6bf5fdd66af7753098d3711acea1deae18241cad26b7839bcfbd4a0eccadbec3502b613046cc0a1de3b1b3649d8d016
SSDEEP

6144:36wEc0lyFFVFCTkeiNRTD2dWlKItfK6ioAjVQ5qvfJX73aAtxzxCmJ1X3XCjC6:KwEZuFVk4eiHCiKWfooAjGovfND5xzxP

Score

10^/10

Family

azorult

http://203.159.80.118/PL341/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/2156-0-0x0000000001140000-0x000000000119E000-memory.dmp	family_zgrat_v1

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28
PID 2156 wrote to memory of 2568	2156	cb1fef1a16b7fc3851b569ffb51e17d9.exe	28

C:\Users\Admin\AppData\Local\Temp\cb1fef1a16b7fc3851b569ffb51e17d9.exe
"C:\Users\Admin\AppData\Local\Temp\cb1fef1a16b7fc3851b569ffb51e17d9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
  2⤵
  PID:2568

memory/2156-0-0x0000000001140000-0x000000000119E000-memory.dmp

Filesize
376KB

Download
memory/2156-1-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-2-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-11-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-7-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2568-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-3-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download