azorult | 3a667485b1ccba134ee637aab2caf19d9d2dca135e259cac62b38fca0fa1acfc

General

Target

PTSans.exe
Size

552KB
MD5

88cab3e01e7d2274dd56a8d4b605cafb
SHA1

d78df20a64aecb448521975d88360e5c9392cf2c
SHA256

270ccfd9fa5927e0dd36355f13d51ea5af5fe643c3cf22f374ca60ce6a73b7a5
SHA512

01ad52674350a68c461f284912a654514ca28fbf77cf1d99711e0df38e571fbca3d186f7ae0cfcf62fca135a09af6ecec481df014702605d07a8a542e39578d0
SSDEEP

12288:dh1Lk70TnvjcDXVrpUGT+PgTQ7761bPXdlzbNQ8qd:Zk70TrcDZvTs61bPXjzBQ8qd

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://cupononline.pk/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	PTSans.exe

Executes dropped EXE 2 IoCs

pid	Process
532	pku2u.exe
3184	pku2u.exe

Loads dropped DLL 1 IoCs

pid	Process
532	pku2u.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 532 set thread context of 3184	532	pku2u.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0003000000022784-31.dat	nsis_installer_1
behavioral2/files/0x0003000000022784-31.dat	nsis_installer_2

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE
3576	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
548	PTSans.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
532	pku2u.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	PTSans.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 532	548	PTSans.exe	98
PID 548 wrote to memory of 532	548	PTSans.exe	98
PID 548 wrote to memory of 532	548	PTSans.exe	98
PID 548 wrote to memory of 2784	548	PTSans.exe	99
PID 548 wrote to memory of 2784	548	PTSans.exe	99
PID 548 wrote to memory of 2784	548	PTSans.exe	99
PID 2784 wrote to memory of 2404	2784	cmd.exe	101
PID 2784 wrote to memory of 2404	2784	cmd.exe	101
PID 2784 wrote to memory of 2404	2784	cmd.exe	101
PID 2784 wrote to memory of 3576	2784	cmd.exe	102
PID 2784 wrote to memory of 3576	2784	cmd.exe	102
PID 2784 wrote to memory of 3576	2784	cmd.exe	102
PID 532 wrote to memory of 3184	532	pku2u.exe	109
PID 532 wrote to memory of 3184	532	pku2u.exe	109
PID 532 wrote to memory of 3184	532	pku2u.exe	109
PID 532 wrote to memory of 3184	532	pku2u.exe	109

C:\Users\Admin\AppData\Local\Temp\PTSans.exe
"C:\Users\Admin\AppData\Local\Temp\PTSans.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\pku2u.exe
  "C:\Users\Admin\AppData\Local\Temp\pku2u.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\pku2u.exe
    "C:\Users\Admin\AppData\Local\Temp\pku2u.exe"
    3⤵
    - Executes dropped EXE
    PID:3184
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\PTSans.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\PTSans.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 100
    3⤵
    - Runs ping.exe
    PID:2404
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 900
    3⤵
    - Runs ping.exe
    PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3336 --field-trial-handle=3488,i,1267426273081718772,6254127258555406296,262144 --variations-seed-version /prefetch:8
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsz84A3.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pku2u.exe

Filesize
344KB

MD5
d0957630ce5affc9a61653a86e62c7fc

SHA1
e17c677f5f721a7dac4a1a63606f377a8b17170b

SHA256
f4fcef394f181c4b6c64eda3b135bd4be7676f61cd899be532616c7a2fb7ed7a

SHA512
e36fb00135204c0c6e0da8aa79be80708001c5282203b710fdde7bb0c9cad08ffcaddfdbe47a0dabd45e4fb7abf6c85d17c9526bbb03fcac85e588e2321e45ee

Download Submit
memory/532-52-0x0000000009740000-0x0000000009761000-memory.dmp

Filesize
132KB

Download
memory/532-48-0x0000000009740000-0x0000000009761000-memory.dmp

Filesize
132KB

Download
memory/532-47-0x0000000009740000-0x0000000009761000-memory.dmp

Filesize
132KB

Download
memory/548-7-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-24-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/548-0-0x0000000004AE0000-0x0000000004B4E000-memory.dmp

Filesize
440KB

Download
memory/548-9-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-11-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-13-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-15-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-17-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-19-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-21-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-23-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-6-0x0000000004B90000-0x0000000004BF7000-memory.dmp

Filesize
412KB

Download
memory/548-25-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/548-26-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/548-5-0x0000000004B90000-0x0000000004BFE000-memory.dmp

Filesize
440KB

Download
memory/548-44-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/548-4-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/548-2-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/548-3-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/548-1-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3184-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3184-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3184-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3184-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing