azorult | 847c3d58050d5d9fa51663b015e00bc2825f276c4e8d85cf4bdc16dca30be311

General

Target

d6953714645c5b56b61f2f9ec39c186e60b40f62673cffff0ff216c57c07549a.rtf
Size

241KB
MD5

5d20d729fc550b52705a6e72cb362f5e
SHA1

0b70138425b5c0de26ee2002cdbd615e0bfa11bd
SHA256

d6953714645c5b56b61f2f9ec39c186e60b40f62673cffff0ff216c57c07549a
SHA512

84e321e0eb90b910420cbadd46474fd6725b3481973c0e8322165d041227e357f0f67ae35920784443c3e51c50d3f935f3327095035888bf80cdf9741a6ca67c
SSDEEP

1536:gCBEjP41b4WzuvItfUGa2amY3EHRnAOWQWK2wmFThb4ppsyxn81be880WBOdQzhU:xfnzuWlxAOrOI0/ybSjKM4ln8

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

C2

https://suspam.com/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Executes dropped EXE 1 IoCs

pid	Process
2436	Server.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 2 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2780	EQNEDT32.EXE
2700	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1764	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1764	WINWORD.EXE
1764	WINWORD.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2824	2700	EQNEDT32.EXE	33
PID 2700 wrote to memory of 2824	2700	EQNEDT32.EXE	33
PID 2700 wrote to memory of 2824	2700	EQNEDT32.EXE	33
PID 2700 wrote to memory of 2824	2700	EQNEDT32.EXE	33
PID 2824 wrote to memory of 2436	2824	cmd.exe	36
PID 2824 wrote to memory of 2436	2824	cmd.exe	36
PID 2824 wrote to memory of 2436	2824	cmd.exe	36
PID 2824 wrote to memory of 2436	2824	cmd.exe	36
PID 1764 wrote to memory of 1928	1764	WINWORD.EXE	38
PID 1764 wrote to memory of 1928	1764	WINWORD.EXE	38
PID 1764 wrote to memory of 1928	1764	WINWORD.EXE	38
PID 1764 wrote to memory of 1928	1764	WINWORD.EXE	38

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d6953714645c5b56b61f2f9ec39c186e60b40f62673cffff0ff216c57c07549a.rtf"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1928

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
PID:2780

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c%tmp%\Server.exe AC
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    C:\Users\Admin\AppData\Local\Temp\Server.exe AC
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBEE4B5E.wmf

Filesize
316B

MD5
95bb648d6eb9265eeaf0f889731b1e23

SHA1
631d60a024835f4e53ceb9d0a987ce52fe517df4

SHA256
9639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c

SHA512
184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
112KB

MD5
b89d7fda2fe9355fbb134838536fb0fb

SHA1
cb41b67c5f79cf6a0eda33d2e988e26fee0e383e

SHA256
abd6c1f331de27aff1e2bbc3e79856aa66e13f36ea2f0fc3cd81b914b4779077

SHA512
42303a8f6c8345f380a4db460d601b53bdaf4994a0007486394d36cbfb5115782f544f05e0a23903b7c33d7d09f8e5c38a5963075ee9debf007871fabcb15fa6

Download Submit
memory/1764-0-0x000000002F1C1000-0x000000002F1C2000-memory.dmp

Filesize
4KB

Download
memory/1764-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1764-2-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download
memory/1764-21-0x000000007105D000-0x0000000071068000-memory.dmp

Filesize
44KB

Download
memory/2436-20-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing