azorult | 134755c58e6059b79e9713bd2510ba6d6035fbfcd5158374588102fac9030830

General

Target

51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
Size

2.0MB
MD5

51e7c3f9ca82945731cb92d976eda8b0
SHA1

875977cf0c16aacc9caf2157854cd6ae48f5ec58
SHA256

134755c58e6059b79e9713bd2510ba6d6035fbfcd5158374588102fac9030830
SHA512

b88ad7bd53dc82f732dba8ef31ed9c32e503bf20a730ea8588bea9f14ba97e59f262e90153f86f7b384c65efb9e0cd56fbcd2fbe071cb78559cc8ed6c5681e7f
SSDEEP

24576:su6J33O0c+JY5UZ+XC0kGso6FaI1IXgM6YmenKKSUlmDaGJTA4Pqa6jUvOkQwKY8:2u0c++OCvkGs9Fap5aLKLkDl+dUvO9YS

Score

10^/10

azorult quasar ebayprofiles infostealer spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

EbayProfiles

C2

5.8.88.191:443

sockartek.icu:443

Mutex

QSR_MUTEX_0kBRNrRz5TDLEQouI0

Attributes

encryption_key
MWhG6wsClMX8aJM2CVXT
install_name
winsock.exe
log_directory
Logs
reconnect_delay
3000
startup_key
win defender run
subdirectory
SubDir

Extracted

Family

azorult

C2

http://0x21.in:8000/_az/

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233f2-12.dat	family_quasar
behavioral2/memory/3592-20-0x0000000000B10000-0x0000000000B6E000-memory.dmp	family_quasar
behavioral2/files/0x00090000000233f5-51.dat	family_quasar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe

Executes dropped EXE 3 IoCs

pid	Process
3956	vnc.exe
3592	windef.exe
748	winsock.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\m:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\n:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\o:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\y:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\g:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\i:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\j:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\z:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\q:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\s:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\u:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\v:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\x:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\a:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\b:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\e:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\h:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\r:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\w:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\k:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\p:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
File opened (read-only)	\??\t:	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x00090000000233f5-51.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1020 set thread context of 1884	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2764	3956	WerFault.exe	83
988	748	WerFault.exe	97
4432	4772	WerFault.exe	124
4620	5004	WerFault.exe	120

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4704	schtasks.exe
208	schtasks.exe
2904	schtasks.exe
4116	schtasks.exe
2784	schtasks.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2804	PING.EXE
2708	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3592	windef.exe
Token: SeDebugPrivilege	748	winsock.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
748	winsock.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3956	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	83
PID 1020 wrote to memory of 3956	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	83
PID 1020 wrote to memory of 3956	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	83
PID 1020 wrote to memory of 3592	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	85
PID 1020 wrote to memory of 3592	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	85
PID 1020 wrote to memory of 3592	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	85
PID 3956 wrote to memory of 1400	3956	vnc.exe	86
PID 3956 wrote to memory of 1400	3956	vnc.exe	86
PID 3956 wrote to memory of 1400	3956	vnc.exe	86
PID 1020 wrote to memory of 1884	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 1884	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 1884	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 1884	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 1884	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 4704	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	91
PID 1020 wrote to memory of 4704	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	91
PID 1020 wrote to memory of 4704	1020	51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe	91
PID 3592 wrote to memory of 208	3592	windef.exe	95
PID 3592 wrote to memory of 208	3592	windef.exe	95
PID 3592 wrote to memory of 208	3592	windef.exe	95
PID 3592 wrote to memory of 748	3592	windef.exe	97
PID 3592 wrote to memory of 748	3592	windef.exe	97
PID 3592 wrote to memory of 748	3592	windef.exe	97
PID 748 wrote to memory of 2904	748	winsock.exe	98
PID 748 wrote to memory of 2904	748	winsock.exe	98
PID 748 wrote to memory of 2904	748	winsock.exe	98

C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 548
    3⤵
    - Program crash
    PID:2764
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\windef.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:208
- - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\98XZmpy1bJmm.bat" "
      4⤵
      PID:3520
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2804
    - - C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe"
        5⤵
        
        PID:5004
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "win defender run" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\winsock.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Vc58J22htDFF.bat" "
        6⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2708
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 2228
        6⤵
        Program crash
        
        PID:4620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1968
      4⤵
      Program crash
      PID:988
- C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\51e7c3f9ca82945731cb92d976eda8b0_NeikiAnalytics.exe"
  2⤵
  PID:1884
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3956 -ip 3956
1⤵
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 748 -ip 748
1⤵
PID:4828

C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
1⤵
PID:3616
- C:\Users\Admin\AppData\Local\Temp\vnc.exe
  "C:\Users\Admin\AppData\Local\Temp\vnc.exe"
  2⤵
  PID:4772
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 520
    3⤵
    - Program crash
    PID:4432
- C:\Users\Admin\AppData\Local\Temp\windef.exe
  "C:\Users\Admin\AppData\Local\Temp\windef.exe"
  2⤵
  PID:2976
- C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe
  "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn RtkAudioService64 /tr "C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4772 -ip 4772
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5004 -ip 5004
1⤵
PID:3864

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1336
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:4168

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\windef.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\98XZmpy1bJmm.bat

Filesize
208B

MD5
ab4cb30767b795f71518d9a763d86471

SHA1
33b36327235b5a2b0f47a05ecc66821b0bd28d1d

SHA256
d6ac6831eff9171611f71273dac99be9cab219fdab4ce10eb34c4858f102c133

SHA512
0c71f2701a545c926d5bf41ae6ab16d445fc45516d109cd7c82865bab085a7152d6ecd9e84f255c5f50e8e997d387c092e59699291ff9b83a84e0812a12fe66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Vc58J22htDFF.bat

Filesize
208B

MD5
7eb1bf413af15d33cf90c7ded6d5c2c3

SHA1
cb9f985db4d79296b14c12d81281001982e9fe97

SHA256
23f4e80d25456b263aeb9c8311fe5f969cfbab9af55c8ed15abf99345b2893de

SHA512
821af16eb786722ca0548afa369fe33702d344166f524e251247b4280a9bb78e2414d19eef703d983cc5af367935385beb064241f8d1dfab270096dea63fc9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnc.exe

Filesize
405KB

MD5
b8ba87ee4c3fc085a2fed0d839aadce1

SHA1
b3a2e3256406330e8b1779199bb2b9865122d766

SHA256
4e8a99cd33c9e5c747a3ce8f1a3e17824846f4a8f7cb0631aebd0815db2ce3a4

SHA512
7a775a12cd5bcd182d64be0d31f800b456ca6d1b531189cea9c72e1940871cfe92ccd005938f67bfa4784ae44c54b3a7ea29a5bb59766e98c78bf53b680f2ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\windef.exe

Filesize
349KB

MD5
b4a202e03d4135484d0e730173abcc72

SHA1
01b30014545ea526c15a60931d676f9392ea0c70

SHA256
7050608d53f80269df951d00883ed79815c060ce7678a76b5c3f6a2a985beea9

SHA512
632a035a3b722ea29b02aad1f0da3df5bdc38abc7e6617223790955c6c0830f1070b528680416d5c63ea5e846074cdad87f06c21c35a77b1ccc4edc089d8b1fb

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-05-2024

Filesize
224B

MD5
2100ad29b60792b771578bf29b706c90

SHA1
411b28f42e2b38ef6e0f0153cf037f50c6bcd032

SHA256
2da740b4c2166b6f5af3d28d63748c46084fcbc69abb75a19ccf1b5c9678252a

SHA512
2a7dd2a442d20f41ec912aaface3b077f4215928af9d39815dc1c6413742ab20b6ea84f31f213373bdd13603d06aff5be184d91bb1d9b2dd2d3ed0d7d2b2b93d

Download Submit
C:\Users\Admin\btpanui\SystemPropertiesPerformance.exe

Filesize
2.0MB

MD5
f54a46489c8acedce145937ac6a65cba

SHA1
f4ee5a06d1c1597508b5e3d10d5ff1a747133d08

SHA256
3ec2f68fed7fe1007df45760ab5cd0e5116f5500b7719d0b45e0369364b061c3

SHA512
f4d4f2a3eb2b162e12e6032dddf7dedb559b7914f8c8ffe1ae061d31013a45705ffff4223337eb100d9bad1363cca187d0f7b6f59bc712c288eba56785b395ed

Download Submit
memory/748-45-0x00000000062B0000-0x00000000062BA000-memory.dmp

Filesize
40KB

Download
memory/1020-21-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/1884-30-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/1884-22-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/2356-74-0x0000000000B20000-0x0000000000B40000-memory.dmp

Filesize
128KB

Download
memory/2356-80-0x0000000000B20000-0x0000000000B40000-memory.dmp

Filesize
128KB

Download
memory/3592-36-0x0000000005890000-0x00000000058A2000-memory.dmp

Filesize
72KB

Download
memory/3592-37-0x0000000006680000-0x00000000066BC000-memory.dmp

Filesize
240KB

Download
memory/3592-35-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/3592-34-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/3592-31-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/3592-20-0x0000000000B10000-0x0000000000B6E000-memory.dmp

Filesize
376KB

Download
memory/3592-19-0x0000000072C8E000-0x0000000072C8F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads