azorult | c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77

General

Target

c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe
Size

610KB
MD5

ad0ed91197890681c43fe8a613ba1b2b
SHA1

d0a7ded680f10ec1871a3b4df10c6a9cc2a30809
SHA256

c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77
SHA512

029ec97c9e08eac5fbda60442b1094b142168c54a4f4233f7812ab46ab8a1f19fa8b4133beb4dff6dbff7ccfcc139367cd966548385b73b3be5e33fe49ac720f
SSDEEP

12288:I2Vmby5Q6IXgRhdiS+j7hmIwKp5KNgcSJtoE2uxck4EUcpF+78:I28SQ6IXgitRwKp5KYoE2uxckrjFM8

Score

10^/10

azorult execution infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2220 powershell.exe

Loads dropped DLL 2 IoCs

Processes:

c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe

pid	process
2024	c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe
2024	c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2164 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2220 powershell.exe
2164 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2220 set thread context of 2164 2220 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2164	wab.exe

description	pid	process	target process
PID 2220 set thread context of 2164	2220	powershell.exe	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exe

pid	process
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2220 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2220 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2220	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exepowershell.exe

description	pid	process	target process
PID 2024 wrote to memory of 2220	2024	c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe	powershell.exe
PID 2024 wrote to memory of 2220	2024	c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe	powershell.exe
PID 2024 wrote to memory of 2220	2024	c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe	powershell.exe
PID 2024 wrote to memory of 2220	2024	c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe	powershell.exe
PID 2220 wrote to memory of 2164	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2164	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2164	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2164	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2164	2220	powershell.exe	wab.exe
PID 2220 wrote to memory of 2164	2220	powershell.exe	wab.exe

C:\Users\Admin\AppData\Local\Temp\c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe
"C:\Users\Admin\AppData\Local\Temp\c97dbc111d46e1bfe08a912bc8a893494f6d3f682d71853ab6b0a3ee3308fb77.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Hnsehold=Get-Content 'C:\Users\Admin\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Fjot.Mum';$printerporte=$Hnsehold.SubString(952,3);.$printerporte($Hnsehold)"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Fjot.Mum

Filesize
66KB

MD5
32d35db1ec0670fb555927534832f6f7

SHA1
ab79fad8e13f41b4cc2364771e75aba2be8ab0ca

SHA256
aeef8a36820c85fd6ebee24bd480c84cf8ae5034c6f93a0ad23634220b583364

SHA512
53e9f2ab5e20674380de4a0fc396f5a2973ef8765880c9dbe954c4256fb9cd391de7339dc9cff63617af7e5c0f9f67e1468cf001f7976817b97d8fdecb898e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\betalingsdatoer\oromo\tututni\Hypertonicity.Fre

Filesize
337KB

MD5
2696a80d76afca2814c90de72a953961

SHA1
b17586d5d14cd8379f03e6c866b915e8f55108d4

SHA256
2a183a9497dcb231e921dc10d79896224eac2c0802f88c78c4e782967beed3e5

SHA512
0b425bc3b929cf95e630143f863718f4e4653b27fbabd7a1cc9e1cff1053aa132399a7fc359c0480f7573569d4aa7af45bc622502d52bffc5c5942b050991509

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB9A0.tmp\AdvSplash.dll

Filesize
5KB

MD5
3134c2821796396ba53e77ef3ea6a268

SHA1
14c58e347fb4bf1b8c6f5ebccae57c58066d8769

SHA256
9cdba2bb0984f10c201921ae5bcfe7b595771e1f12d9e17d31f213bfaf1548c6

SHA512
34beca32375af8e4665b48413c940af67bedf6e34895481281551836460721161b158e642bde120a65ca0143643e06bfe660da2b1900e7ca2e4f7a204e183d4e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB9A0.tmp\nsDialogs.dll

Filesize
9KB

MD5
3cea4c9994912d8f3c3e8b6a814e810e

SHA1
c48d34a0981d4ab576c7a3ab566f5ddb94af5d86

SHA256
b2699fdfdab6a018fcc972806d12f71972de1861660bb6578935d62b1da06504

SHA512
d317449f3c3115e279cff148c3e0bccc9b1d4ba82d1f85c0b99d7db657e85f752c0691d33f8024ada5850c993d0bdcbcc70b296b7cf33d7d14a67bc16ca3b4a3

Download Submit
memory/2164-36-0x0000000000860000-0x00000000018C2000-memory.dmp

Filesize
16.4MB

Download
memory/2164-35-0x0000000000860000-0x00000000018C2000-memory.dmp

Filesize
16.4MB

Download
memory/2164-34-0x0000000000860000-0x00000000018C2000-memory.dmp

Filesize
16.4MB

Download
memory/2220-28-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-23-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-25-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-30-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-31-0x00000000066B0000-0x0000000008AC7000-memory.dmp

Filesize
36.1MB

Download
memory/2220-32-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-24-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-22-0x0000000073970000-0x0000000073F1B000-memory.dmp

Filesize
5.7MB

Download
memory/2220-21-0x0000000073971000-0x0000000073972000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads