azorult | 57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 11:15

Target

57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
Size

112KB
MD5

6de5b2a3dfcfca470ff68039ad159e38
SHA1

d3ff0382059f13b8d5842209e67fcc50e0c0b7ae
SHA256

57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc
SHA512

3c20f047899428b88cb322a78beeceb57b646f405100352b6938ee4d5928c7b1ef24d88c9a25f190abd0bb4551624369264966ad5f76a0cecee335579039ba98
SSDEEP

3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEYnE/Pxg/:Zzx7ZApszolIo7lf/ipT/P

Score

10^/10

Family

azorult

http://boec.ubksg.ru/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2660 2548 WerFault.exe 57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe

pid	pid_target	process	target process
2660	2548	WerFault.exe	57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe

description	pid	process	target process
PID 2548 wrote to memory of 2660	2548	57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe	WerFault.exe
PID 2548 wrote to memory of 2660	2548	57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe	WerFault.exe
PID 2548 wrote to memory of 2660	2548	57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe	WerFault.exe
PID 2548 wrote to memory of 2660	2548	57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe
"C:\Users\Admin\AppData\Local\Temp\57c69ce632f9595a10a1988f2b2d9b137c4b9e4713131075e0850d31e1eaaedc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 872
2⤵
- Program crash
PID:2660

memory/2548-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download