azorult | 3a667485b1ccba134ee637aab2caf19d9d2dca135e259cac62b38fca0fa1acfc

General

Target

PTSans.exe
Size

552KB
MD5

88cab3e01e7d2274dd56a8d4b605cafb
SHA1

d78df20a64aecb448521975d88360e5c9392cf2c
SHA256

270ccfd9fa5927e0dd36355f13d51ea5af5fe643c3cf22f374ca60ce6a73b7a5
SHA512

01ad52674350a68c461f284912a654514ca28fbf77cf1d99711e0df38e571fbca3d186f7ae0cfcf62fca135a09af6ecec481df014702605d07a8a542e39578d0
SSDEEP

12288:dh1Lk70TnvjcDXVrpUGT+PgTQ7761bPXdlzbNQ8qd:Zk70TrcDZvTs61bPXjzBQ8qd

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://cupononline.pk/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Deletes itself 1 IoCs

pid	Process
2372	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2840	pku2u.exe
3012	pku2u.exe

Loads dropped DLL 3 IoCs

pid	Process
1196	PTSans.exe
2840	pku2u.exe
2840	pku2u.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2840 set thread context of 3012	2840	pku2u.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000b00000001224f-28.dat	nsis_installer_1
behavioral1/files/0x000b00000001224f-28.dat	nsis_installer_2

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2568	PING.EXE
2428	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1196	PTSans.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2840	pku2u.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	PTSans.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 2840	1196	PTSans.exe	28
PID 1196 wrote to memory of 2840	1196	PTSans.exe	28
PID 1196 wrote to memory of 2840	1196	PTSans.exe	28
PID 1196 wrote to memory of 2840	1196	PTSans.exe	28
PID 1196 wrote to memory of 2372	1196	PTSans.exe	29
PID 1196 wrote to memory of 2372	1196	PTSans.exe	29
PID 1196 wrote to memory of 2372	1196	PTSans.exe	29
PID 1196 wrote to memory of 2372	1196	PTSans.exe	29
PID 2372 wrote to memory of 2428	2372	cmd.exe	31
PID 2372 wrote to memory of 2428	2372	cmd.exe	31
PID 2372 wrote to memory of 2428	2372	cmd.exe	31
PID 2372 wrote to memory of 2428	2372	cmd.exe	31
PID 2372 wrote to memory of 2568	2372	cmd.exe	32
PID 2372 wrote to memory of 2568	2372	cmd.exe	32
PID 2372 wrote to memory of 2568	2372	cmd.exe	32
PID 2372 wrote to memory of 2568	2372	cmd.exe	32
PID 2840 wrote to memory of 3012	2840	pku2u.exe	33
PID 2840 wrote to memory of 3012	2840	pku2u.exe	33
PID 2840 wrote to memory of 3012	2840	pku2u.exe	33
PID 2840 wrote to memory of 3012	2840	pku2u.exe	33
PID 2840 wrote to memory of 3012	2840	pku2u.exe	33

C:\Users\Admin\AppData\Local\Temp\PTSans.exe
"C:\Users\Admin\AppData\Local\Temp\PTSans.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\pku2u.exe
  "C:\Users\Admin\AppData\Local\Temp\pku2u.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Users\Admin\AppData\Local\Temp\pku2u.exe
    "C:\Users\Admin\AppData\Local\Temp\pku2u.exe"
    3⤵
    - Executes dropped EXE
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\PTSans.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\PTSans.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:2428
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso3314.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
\Users\Admin\AppData\Local\Temp\pku2u.exe

Filesize
344KB

MD5
d0957630ce5affc9a61653a86e62c7fc

SHA1
e17c677f5f721a7dac4a1a63606f377a8b17170b

SHA256
f4fcef394f181c4b6c64eda3b135bd4be7676f61cd899be532616c7a2fb7ed7a

SHA512
e36fb00135204c0c6e0da8aa79be80708001c5282203b710fdde7bb0c9cad08ffcaddfdbe47a0dabd45e4fb7abf6c85d17c9526bbb03fcac85e588e2321e45ee

Download Submit
memory/1196-6-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-2-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1196-4-0x0000000004780000-0x00000000047EE000-memory.dmp

Filesize
440KB

Download
memory/1196-5-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-0-0x0000000004710000-0x000000000477E000-memory.dmp

Filesize
440KB

Download
memory/1196-22-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-20-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-18-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-16-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-14-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-12-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-10-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-24-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1196-23-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1196-8-0x0000000004780000-0x00000000047E7000-memory.dmp

Filesize
412KB

Download
memory/1196-1-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/1196-3-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1196-41-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-40-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/2840-46-0x00000000003D0000-0x00000000003F1000-memory.dmp

Filesize
132KB

Download
memory/3012-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3012-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3012-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3012-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing