azorult | 65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc

General

Target

65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe
Size

849KB
MD5

0be9332786cd2b5d41edf5746bd4d351
SHA1

44443541dd2e4a40820f23d9057a92a27dfdc823
SHA256

65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc
SHA512

0dc9145a7cd7c7a2f8fcac3cad2ad8d046f2457013f8948423e8ba14928508b5fed3bb2835e5616c7072e0305e67a870fd5d2198d6e6220baf75e23047e2ecb2
SSDEEP

24576:HYDoeMwkejuoLDypBE2pBV92Smc7RfLym5Nhcp:4dMErLepBE2Sg7RDxhy

Score

10^/10

azorult discovery execution infostealer trojan

Malware Config

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anraabelsens\Hyposternal.udk	65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1100	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2836	powershell.exe
1100	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2836 set thread context of 1100	2836	powershell.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2836	2208	65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe	30
PID 2208 wrote to memory of 2836	2208	65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe	30
PID 2208 wrote to memory of 2836	2208	65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe	30
PID 2208 wrote to memory of 2836	2208	65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe	30
PID 2836 wrote to memory of 1100	2836	powershell.exe	34
PID 2836 wrote to memory of 1100	2836	powershell.exe	34
PID 2836 wrote to memory of 1100	2836	powershell.exe	34
PID 2836 wrote to memory of 1100	2836	powershell.exe	34
PID 2836 wrote to memory of 1100	2836	powershell.exe	34
PID 2836 wrote to memory of 1100	2836	powershell.exe	34

C:\Users\Admin\AppData\Local\Temp\65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe
"C:\Users\Admin\AppData\Local\Temp\65645a7b022d73d26cf94f50e0c9eaa224911bf8443b0366bcc671be27dbb9bc.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -windowstyle hidden "$Hastvrkets=Get-Content 'C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Ruskinian.Aut';$Udskydningers=$Hastvrkets.SubString(72279,3);.$Udskydningers($Hastvrkets) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files (x86)\windows mail\wab.exe
    "C:\Program Files (x86)\windows mail\wab.exe"
    3⤵
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Ruskinian.Aut

Filesize
70KB

MD5
d9f4631e18a66d4ac6bc85db28bb10fb

SHA1
b23b5e8e1f4601988295cb5e379ec0474cb3447f

SHA256
1ab90c8d831cc11a285d0599f39eb963d98ff7778d573fa48e5af2b95068f53d

SHA512
2a363e7f5dd49b790d2f423087bb4c347bed2c2f690929fc5c8cf219e8ed244d348a87a503a4bc1b4c59c8d6946c6f8652a2b4454902ff9cd52cb08586b89082

Download Submit
C:\Users\Admin\AppData\Local\Temp\forgrovelse\konstituerendes\Underdunged.Fam

Filesize
338KB

MD5
5f7c09db13ccfc096cf55c4a39399bf1

SHA1
0ad484dcf6cb718fc971bf57fae45629ad2f3e29

SHA256
3d4e46fb6ccb21b3511176709d606ad37e942724e869997a19951966cf55156c

SHA512
6f5cc07e5cf264b5c65e9610c6141d0d90db75483ed84c22c5cf7b662126a027366a1fd36c3f9b9201bf5236d95007b31a39e698050aabad6bf6e3e707086c68

Download Submit
memory/1100-37-0x0000000000340000-0x00000000013A2000-memory.dmp

Filesize
16.4MB

Download
memory/1100-36-0x0000000000340000-0x00000000013A2000-memory.dmp

Filesize
16.4MB

Download
memory/1100-20-0x0000000000340000-0x00000000013A2000-memory.dmp

Filesize
16.4MB

Download
memory/2836-14-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-7-0x0000000073BC1000-0x0000000073BC2000-memory.dmp

Filesize
4KB

Download
memory/2836-11-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-16-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-17-0x00000000067B0000-0x000000000AACF000-memory.dmp

Filesize
67.1MB

Download
memory/2836-18-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-9-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-10-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/2836-8-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing