azorult | 0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4

Resubmissions

19/03/2025, 20:13

250319-yzdk1a1yew 10

06/12/2023, 15:44

16/11/2023, 20:24

05/04/2023, 06:56

04/04/2023, 08:02

Analysis

max time kernel
100s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

??????????? ??????????????.exe
Size

234KB
MD5

38d378ff52ea3dba53a07eee3ed769c7
SHA1

94181ebcbe353d496701681b6bd03e06c1c63751
SHA256

0791c43de42272d1f5eb20ee67b0ad4194e2bb8f00975aa906605d8cd0c4c6a4
SHA512

ab096595c92f3bca5659b2156e3daed47f70dd8ab3ddff1506ff164a50fa4d15f2503776d43633056ebcb569255295f8f7af53a031f552da1a3f73d017c105cc
SSDEEP

6144:gYa6oBsctoZqfq4S4JV2p9wubvEjRTsObhUXLbPp:gYxcCZqHp2prEVs+C7F

Score

10^/10

azorult discovery infostealer trojan

Malware Config

Extracted

Family

azorult

http://141.98.6.162/office/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Executes dropped EXE 2 IoCs

pid	Process
3900	jjhluxw.exe
2520	jjhluxw.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3900 set thread context of 2520	3900	jjhluxw.exe	79

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	___________ ______________.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjhluxw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jjhluxw.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3900	jjhluxw.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 6080 wrote to memory of 3900	6080	___________ ______________.exe	78
PID 6080 wrote to memory of 3900	6080	___________ ______________.exe	78
PID 6080 wrote to memory of 3900	6080	___________ ______________.exe	78
PID 3900 wrote to memory of 2520	3900	jjhluxw.exe	79
PID 3900 wrote to memory of 2520	3900	jjhluxw.exe	79
PID 3900 wrote to memory of 2520	3900	jjhluxw.exe	79
PID 3900 wrote to memory of 2520	3900	jjhluxw.exe	79

C:\Users\Admin\AppData\Local\Temp\___________ ______________.exe
"C:\Users\Admin\AppData\Local\Temp\___________ ______________.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe
  "C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe" C:\Users\Admin\AppData\Local\Temp\izwmcwjt.yhc
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe
    "C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\izwmcwjt.yhc

Filesize
6KB

MD5
19e06b8c8c60c69e11228b250568400a

SHA1
7c49e0aca8637c2adf258f98b1e7e45bcefaef53

SHA256
fb8e5832ac5a98dd0ab1030628a559627279ae256593510b0fbc6da2a43f2ad8

SHA512
e67eaebb28cab7784446cc3fbbdfb8fa3c4229225e4abdff26091a65f8adf8a912414a0bedd4b0458594776814c14f0f9cf9f18c71e3d3a75bef70b2056a389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jjhluxw.exe

Filesize
108KB

MD5
5f16ae72eb6fbd3040d5d3c18c5ac304

SHA1
4e1604b5e763aa9f336996c75cb3e8436f16850f

SHA256
3b22459608be3d78066a25fdf807f6628de79c01799cd5e03095c2ae996bca16

SHA512
7ca61d0f536638094b67f8c7b12ab5ff4d234299f2365ab9cd7de78bd1d257195b6c112039761e2620a597a65d59cfd856790db075bef6d69afdaeb35d49286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvgovin.j

Filesize
132KB

MD5
f495dbd405842d0cee36e9ff9d3be29e

SHA1
35e5f6e880f2069a94d7cfa8847040fb1bb0c8e9

SHA256
aa7ec70ab30285dcd735aa0c1feb12729c10198a4eb2ebcce50e3a1afca58da4

SHA512
44fd0a274c612094c150be66d4ab447d474f81900388fc8b1dbc9828a195bc43a05f6337132a1438612a6f329cc99880dba3c6eb997755e02713d877cc675e8c

Download Submit
memory/2520-9-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2520-12-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2520-13-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2520-15-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2520-16-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3900-7-0x0000000001030000-0x0000000001032000-memory.dmp

Filesize
8KB

Download