azorult | 38a98f4740ed923913176a2ed5459288a6ba5d330855695fdc57395d650e4016

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe
Size

596KB
MD5

a1e08b9606f07d719636172b7d7dfcad
SHA1

82f13b74d89c1df15ae5148a5fa1dfa5b3d2ae59
SHA256

38a98f4740ed923913176a2ed5459288a6ba5d330855695fdc57395d650e4016
SHA512

87601936125e6eab797b8fc052d1e9049944da136386e7157c5251dca3d39dfc6190130502285fcdad475a5c84c13390f49541d05d4bf9efc6b36192dc96d73c
SSDEEP

6144:L9ksE0Bh/MUlE7t+v5EUd9+xNOL4gaorniDWA4pXv:6m/Auvd9+x2daaniDWN

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

http://kitchenraja.in/fort/32/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1632 set thread context of 2316	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	28

Program crash 1 IoCs

pid	pid_target	Process	procid_target
376	1632	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe
1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe
1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe
1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2316	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2316	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2316	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2316	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2316	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	28
PID 1632 wrote to memory of 376	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	29
PID 1632 wrote to memory of 376	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	29
PID 1632 wrote to memory of 376	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	29
PID 1632 wrote to memory of 376	1632	a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a1e08b9606f07d719636172b7d7dfcad_JaffaCakes118.exe"
  2⤵
  PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 244
  2⤵
  - Program crash
  PID:376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-18-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-34-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-33-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-32-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-31-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-30-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-29-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-28-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-27-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-26-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-25-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-24-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-16-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-22-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-21-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-20-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-19-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-38-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-35-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-23-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-15-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-14-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-13-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-12-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-11-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-10-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-9-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-8-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-7-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-6-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-5-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-4-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-17-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-2-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1632-1-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1632-0-0x00000000000A0000-0x00000000000A5000-memory.dmp

Filesize
20KB

Download
memory/2316-36-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2316-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download