azorult | dd860b1b9612e733d8f0985148b1f47cd9361243ccb729c3b6c3c2280461e157

General

Target

ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe
Size

7.4MB
MD5

ba4048bd09b860638952397c4bf83eeb
SHA1

7d0b68938d8bed360310d4b6a1d90112640b832a
SHA256

dd860b1b9612e733d8f0985148b1f47cd9361243ccb729c3b6c3c2280461e157
SHA512

7666bc99fec316f2d053d39cf64a3ad9dcc7487edfa9926d63b8a0dc89fcdfc1208d3d983c90cf1c83bcaaba86166b1af7c2bb6172941dc10c62965f24338a89
SSDEEP

196608:+jAIMBqN2/6NgE3aIOGW5ueQvD5LHMY8QU4PzETeS:+jMBqNX3leQvFmQU4L0d

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

Processes:

qwerty.exeHitmanPro_x64.exeHitmanPro_x64.exeHitmanPro_x64.exe

pid process

3924 qwerty.exe
4880 HitmanPro_x64.exe
2672 HitmanPro_x64.exe
376 HitmanPro_x64.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

qwerty.exe

pid process

3924 qwerty.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4652 3924 WerFault.exe qwerty.exe

pid	process
3924	qwerty.exe
4880	HitmanPro_x64.exe
2672	HitmanPro_x64.exe
376	HitmanPro_x64.exe

pid	process
3924	qwerty.exe

pid	pid_target	process	target process
4652	3924	WerFault.exe	qwerty.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

HitmanPro_x64.exeHitmanPro_x64.exe

pid	process
4880	HitmanPro_x64.exe
4880	HitmanPro_x64.exe
4880	HitmanPro_x64.exe
4880	HitmanPro_x64.exe
4880	HitmanPro_x64.exe
4880	HitmanPro_x64.exe
4880	HitmanPro_x64.exe
4880	HitmanPro_x64.exe
376	HitmanPro_x64.exe
376	HitmanPro_x64.exe
376	HitmanPro_x64.exe
376	HitmanPro_x64.exe
376	HitmanPro_x64.exe
376	HitmanPro_x64.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

HitmanPro_x64.exeHitmanPro_x64.exe

pid process

4880 HitmanPro_x64.exe
4880 HitmanPro_x64.exe
376 HitmanPro_x64.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

HitmanPro_x64.exeHitmanPro_x64.exe

pid process

4880 HitmanPro_x64.exe
4880 HitmanPro_x64.exe
376 HitmanPro_x64.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

qwerty.exe

pid process

3924 qwerty.exe

pid	process
3924	qwerty.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exeHitmanPro_x64.exeHitmanPro_x64.exe

description	pid	process	target process
PID 212 wrote to memory of 3924	212	ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe	qwerty.exe
PID 212 wrote to memory of 3924	212	ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe	qwerty.exe
PID 212 wrote to memory of 3924	212	ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe	qwerty.exe
PID 212 wrote to memory of 4880	212	ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe	HitmanPro_x64.exe
PID 212 wrote to memory of 4880	212	ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe	HitmanPro_x64.exe
PID 4880 wrote to memory of 2672	4880	HitmanPro_x64.exe	HitmanPro_x64.exe
PID 4880 wrote to memory of 2672	4880	HitmanPro_x64.exe	HitmanPro_x64.exe
PID 2672 wrote to memory of 376	2672	HitmanPro_x64.exe	HitmanPro_x64.exe
PID 2672 wrote to memory of 376	2672	HitmanPro_x64.exe	HitmanPro_x64.exe

C:\Users\Admin\AppData\Local\Temp\ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba4048bd09b860638952397c4bf83eeb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwerty.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwerty.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1424
3⤵
- Program crash
PID:4652

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HitmanPro_x64.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\HitmanPro_x64.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe
"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe" /update:"C:\Users\Admin\AppData\Local\Temp\RarSFX0\HitmanPro_x64.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HitmanPro_x64.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\HitmanPro_x64.exe" /updated:"C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3924 -ip 3924
1⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=4016 /prefetch:8
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HitmanPro_x64.exe

Filesize
13.6MB

MD5
57ae72bca137c9ec15470087d2a4c378

SHA1
e4dd10c770a7ec7993ed47a37d1f7182e907e3ed

SHA256
cfeea4ea5121d1e6b1edbd5ca6e575830a0a4cbaf63120bc36639c44e1b89781

SHA512
f80d6732e86a8d38db1ff43c0c5058013bd456c4b86b87018166ca073bc84fb8e7676b55371ae9cec668a77d198e1e7f6854a9a93581ed21a32167e3b9533f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HitmanPro_x64.exe

Filesize
11.0MB

MD5
ea1a56e0bb7313d00b83ed88f69d289b

SHA1
839e555e4a3677db282938ab864075f49689afad

SHA256
fd248cd4516e7838637446bec666fe248bb01fa231a47f1f34d13cb09e445e7d

SHA512
933d8d3ca7b3947474352bb637c019c6086859ff60a12549051495d48281712cd9c02dfa7def124be148a1e2850c65dfb9ad25a502552720717cc513b2c7c0b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\qwerty.exe

Filesize
960KB

MD5
6539c93ba82b568ecc558ae1d18f5228

SHA1
ba820679e051c87b939c2888cd8e9e24f529173a

SHA256
5ca3f43e97cfbcb135804e430fc88f7d26287d924514b34b8ec11159e1c36fcf

SHA512
27efe64e1065b4814fc20b4b994762f80ed327ded1c4a65cfde1627b54322792c640e4e71b61afb2e32163b24acb7516911c861439224ca6c1d01ad22453aa17

Download Submit
memory/376-45-0x0000027F85FC0000-0x0000027F8608D000-memory.dmp

Filesize
820KB

Download
memory/3924-11-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/3924-12-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/4880-39-0x000002ACF2160000-0x000002ACF222D000-memory.dmp

Filesize
820KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads