azorult | fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453

General

Target

fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe
Size

543KB
MD5

6682edca710f7263cb15016977979864
SHA1

c3a40002d14ee2a04b6ad13264cd84ac2c73eb0f
SHA256

fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453
SHA512

bfc81f0947a49fefe255abb234c2c006c473c2a5d49fd8eec5d8fc478312d59859c020ca4d79d49a456d3c7712db095dbc4d4aec0f9e9b643a325f32e330a636
SSDEEP

12288:32EI5cRYSzvuwIkyXS9bVVsKZIUvhnmd3ZhZQ:3w6RfJIRIVaKZnmdPZQ

Score

10^/10

azorult guloader discovery downloader infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://mhlc.shop/GI341/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult
Guloader family
guloader
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Loads dropped DLL 1 IoCs

pid	Process
2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2880	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe
2880	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2496 set thread context of 2880	2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe	30

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\resources\0409\slnger\barometerstandenes.san	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2880	2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe	30
PID 2496 wrote to memory of 2880	2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe	30
PID 2496 wrote to memory of 2880	2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe	30
PID 2496 wrote to memory of 2880	2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe	30
PID 2496 wrote to memory of 2880	2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe	30
PID 2496 wrote to memory of 2880	2496	fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe	30

C:\Users\Admin\AppData\Local\Temp\fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe
"C:\Users\Admin\AppData\Local\Temp\fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe
  "C:\Users\Admin\AppData\Local\Temp\fa61c2fc0ebca57c196cb2eb3e0bb93e763ca8930be00b8b7f4ffee34ec30453.exe"
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso87C7.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
memory/2496-9-0x0000000003330000-0x00000000059E2000-memory.dmp

Filesize
38.7MB

Download
memory/2496-10-0x00000000770D1000-0x00000000771D2000-memory.dmp

Filesize
1.0MB

Download
memory/2496-11-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/2496-12-0x0000000003330000-0x00000000059E2000-memory.dmp

Filesize
38.7MB

Download
memory/2496-14-0x0000000003330000-0x00000000059E2000-memory.dmp

Filesize
38.7MB

Download
memory/2880-13-0x00000000770D0000-0x0000000077279000-memory.dmp

Filesize
1.7MB

Download
memory/2880-15-0x00000000007E0000-0x0000000001842000-memory.dmp

Filesize
16.4MB

Download
memory/2880-16-0x00000000007E0000-0x0000000001842000-memory.dmp

Filesize
16.4MB

Download
memory/2880-17-0x00000000007E0000-0x0000000001842000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing