azorult | c280b1fbe9269ef12df640b1b9d6e9aadbb8b7a1f81e3e994f348792a0978658

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe
Size

112KB
MD5

fd0cd5e268223b869c1e05f34d432f52
SHA1

d6aa2e5d161ff893ac5a0217cff673c59abe53b3
SHA256

c280b1fbe9269ef12df640b1b9d6e9aadbb8b7a1f81e3e994f348792a0978658
SHA512

55cb7cc1b13827e23ed17c5dd8b756c9fc9a8b88714694ac91c0ec44b46836b84f7d1f981a483741bd612cdee003de989d45a00edf8d6914edbe60d23cc8ec62
SSDEEP

3072:tuOSXpMx7ZAlHsbfUkolNGti7lfqeSxM3SpyEY3E/vxg/:Zzx7ZApszolIo7lf/ipT/v

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

http://108.170.55.202/~mimicbng/kc/

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2420 2560 WerFault.exe fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe

pid	pid_target	process	target process
2420	2560	WerFault.exe	fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fd0cd5e268223b869c1e05f34d432f52_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 968
  2⤵
  - Program crash
  PID:2420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2560 -ip 2560
1⤵
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2560-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download