azorult | c873e9cdbec94411027fe1a4c8dbb6046ec5ca13ef9b0d1c0b070147a3576313

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

413fddd053097d6a39bd7409da6e9f30_JaffaCakes118.ps1
Size

1.7MB
MD5

413fddd053097d6a39bd7409da6e9f30
SHA1

b9e71233920023a61af95c6254a3dc76b9c85a75
SHA256

c873e9cdbec94411027fe1a4c8dbb6046ec5ca13ef9b0d1c0b070147a3576313
SHA512

7497040ca9287c9b168295ad3dd228b3e4ec2d4737f08e35a684b5e9365a8de55d890b8f45ba090e7c8ca370b7adc26c01f21706a80566f801f522b9e7be56d3
SSDEEP

24576:Xw2O9/TgwrSUhVPHahmorI0hnvUwLS4/evnsq82IiemR:A95cwOI0ZhxevnsNQx

Score

10^/10

azorult execution infostealer trojan

Malware Config

Extracted

Family

azorult

http://romegeek.xyz/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Executes dropped EXE 2 IoCs

pid	Process
2668	vbgu.exe
2756	vbgu.exe

Loads dropped DLL 1 IoCs

pid	Process
2668	vbgu.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000004e76-14.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2756	2668	vbgu.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2668	vbgu.exe
2668	vbgu.exe
2668	vbgu.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2668	vbgu.exe
2668	vbgu.exe
2668	vbgu.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2668	1700	powershell.exe	29
PID 1700 wrote to memory of 2668	1700	powershell.exe	29
PID 1700 wrote to memory of 2668	1700	powershell.exe	29
PID 1700 wrote to memory of 2668	1700	powershell.exe	29
PID 2668 wrote to memory of 2756	2668	vbgu.exe	30
PID 2668 wrote to memory of 2756	2668	vbgu.exe	30
PID 2668 wrote to memory of 2756	2668	vbgu.exe	30
PID 2668 wrote to memory of 2756	2668	vbgu.exe	30
PID 2668 wrote to memory of 2756	2668	vbgu.exe	30
PID 2668 wrote to memory of 2756	2668	vbgu.exe	30

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\413fddd053097d6a39bd7409da6e9f30_JaffaCakes118.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Public\vbgu.exe
  "C:\Users\Public\vbgu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Public\vbgu.exe
    "C:\Users\Public\vbgu.exe"
    3⤵
    - Executes dropped EXE
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vbgu.exe

Filesize
1.2MB

MD5
9dee27ab2ff67041a80637a028f1a3ea

SHA1
f8d6df7e3a80ab66d49af411243aed57c97fe769

SHA256
b5b5f500c36d510508d4cdadf44655ee7a03fbc6861fd64cdae313d55087da6f

SHA512
6322dd35218d390e080c88ab244b564197ac737932804f6d10bdce12dfa0f6f5c8f13df6877d468ace6eeb7fcf30e37871306e282a331b5e10a190ec55ffc6ca

Download Submit
memory/1700-11-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-5-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1700-8-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-6-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1700-10-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-4-0x000007FEF585E000-0x000007FEF585F000-memory.dmp

Filesize
4KB

Download
memory/1700-9-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-7-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/1700-17-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2668-19-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2756-33-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2756-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2756-22-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/2756-20-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download