azorult | 9a3bfe2518904da9dba7f94833ab56d9730d1ca6ee13aa312f184a1ba8f0e71a

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
18/06/2024, 10:30 UTC

Target

bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe
Size

189KB
MD5

bb752eec3d99433f7ab9dd0819e44a93
SHA1

6d6510aa1f21067e523f8eb08b2eb6933cf3d015
SHA256

9a3bfe2518904da9dba7f94833ab56d9730d1ca6ee13aa312f184a1ba8f0e71a
SHA512

0d58e19390fdcdcb8084c7c0e1705af423a138bc367f60dbf035bdfc4d47bf2937e75eb40218067bd8a416abc75a5d8d42da898ec1ae12d6eb628df7b1df5b96
SSDEEP

3072:iuTmJq9RdNQefX1uznJ73csUSbY3wdFD0vKYyUZ7Gx3I7M+ql2C:LmaluznJ1ww70vKsZ7Gx3I7M+ql2C

Score

10^/10

Family

azorult

http://89.46.223.187/0/index.php

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28
PID 1784 wrote to memory of 2568	1784	bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe	28

C:\Users\Admin\AppData\Local\Temp\bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Users\Admin\AppData\Local\Temp\bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bb752eec3d99433f7ab9dd0819e44a93_JaffaCakes118.exe"
  2⤵
  PID:2568

No results found

No results found

memory/1784-9-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/1784-1-0x0000000000AD0000-0x0000000000B06000-memory.dmp

Filesize
216KB

Download
memory/1784-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/1784-3-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1784-4-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/1784-5-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/1784-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/1784-11-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-6-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-10-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2568-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download