azorult | 5ca3f43e97cfbcb135804e430fc88f7d26287d924514b34b8ec11159e1c36fcf | Triage

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
18/06/2024, 06:45

Sharing

Report Analysis Logs

General

Target

qwerty.exe
Size

960KB
MD5

6539c93ba82b568ecc558ae1d18f5228
SHA1

ba820679e051c87b939c2888cd8e9e24f529173a
SHA256

5ca3f43e97cfbcb135804e430fc88f7d26287d924514b34b8ec11159e1c36fcf
SHA512

27efe64e1065b4814fc20b4b994762f80ed327ded1c4a65cfde1627b54322792c640e4e71b61afb2e32163b24acb7516911c861439224ca6c1d01ad22453aa17
SSDEEP

24576:TkFRNLc8wW4TW29vShuXBSZrlwCC/36sG28Eod7/nuKNAlz:TqR4TzvSh8SZlXs22iTNcz

Score

10^/10

azorult infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2976	qwerty.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	2976	WerFault.exe	27

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2976	qwerty.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2284	2976	qwerty.exe	28
PID 2976 wrote to memory of 2284	2976	qwerty.exe	28
PID 2976 wrote to memory of 2284	2976	qwerty.exe	28
PID 2976 wrote to memory of 2284	2976	qwerty.exe	28

C:\Users\Admin\AppData\Local\Temp\qwerty.exe
"C:\Users\Admin\AppData\Local\Temp\qwerty.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 832
  2⤵
  - Program crash
  PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2976-0-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download
memory/2976-1-0x0000000000400000-0x0000000000784000-memory.dmp

Filesize
3.5MB

Download