azorult | e561b6430b7eada808e069b7d7eb49c573e1f68007e3c87c4320039a5d599c52

Analysis

max time kernel
1s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14a8c2f67d92486c89eac26af4d2018d.exe
Size

3.1MB
MD5

14a8c2f67d92486c89eac26af4d2018d
SHA1

0e3ac0615936d2f2b371b751ddc60396c134c0b1
SHA256

e561b6430b7eada808e069b7d7eb49c573e1f68007e3c87c4320039a5d599c52
SHA512

55f366abda35de1a6af889543e68bc1a56ed2ddcddab1d29387edd3fb552e14fb2c08cc6ee50f7f58b85ab329bb1173b5590fa7f2d70165e716ef0846b17d86c
SSDEEP

98304:adNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf85:adNB4ianUstYuUR2CSHsVP85

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3332-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3332-32-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3332-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

test.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation test.exe
Executes dropped EXE 2 IoCs

Processes:

test.exeFile.exe

pid process

624 test.exe
1740 File.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	test.exe

pid	process
624	test.exe
1740	File.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1208-0-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/1208-60-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/1208-67-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

test.exe

pid process

624 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 624 test.exe

pid	process
624	test.exe

description	pid	process
Token: SeDebugPrivilege	624	test.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

14a8c2f67d92486c89eac26af4d2018d.execmd.exetest.exe

description	pid	process	target process
PID 1208 wrote to memory of 1312	1208	14a8c2f67d92486c89eac26af4d2018d.exe	cmd.exe
PID 1208 wrote to memory of 1312	1208	14a8c2f67d92486c89eac26af4d2018d.exe	cmd.exe
PID 1208 wrote to memory of 1312	1208	14a8c2f67d92486c89eac26af4d2018d.exe	cmd.exe
PID 1312 wrote to memory of 624	1312	cmd.exe	test.exe
PID 1312 wrote to memory of 624	1312	cmd.exe	test.exe
PID 1312 wrote to memory of 624	1312	cmd.exe	test.exe
PID 624 wrote to memory of 1740	624	test.exe	File.exe
PID 624 wrote to memory of 1740	624	test.exe	File.exe
PID 624 wrote to memory of 1740	624	test.exe	File.exe

C:\Users\Admin\AppData\Local\Temp\14a8c2f67d92486c89eac26af4d2018d.exe
"C:\Users\Admin\AppData\Local\Temp\14a8c2f67d92486c89eac26af4d2018d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:624
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Executes dropped EXE
      PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:1420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:3584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:4548
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:2432
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        
        PID:856
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:3332
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:3456

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
70KB

MD5
0ee5e6affe1ced7bf0d2f1e7d730a5fc

SHA1
112be39c15a2e049e506f681f5d16379245b4383

SHA256
28cc262f4ebe406508211a2fd312f971f959db0cd60c77cf13fdef009d6aa647

SHA512
73f8303391de94f3335ff2a573e12d4eb7640ea70172ce09ac1a087795d6e5e12fb929d26f9d740ec0942b4348518378b9027cfb46381cc8a048be477b26d5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
64KB

MD5
2f16e3b37a8d890ef685adb762dbb481

SHA1
5b9aeb1f199214d7b93d9926f315151e6fb698e0

SHA256
d6a060a2c8a48ec9e4ef4daeb5ea347e1adf01dfc9a81f2f9a5f84a368fa9957

SHA512
ceb2fdbcd6873e98730f26c2cb016db7381fc2d30b25f3b5c0e1f57e537538d76fac3fada2f883bee5c22d3f367dbca062545e92c9ba446d0dd668f7ff1b9c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
57KB

MD5
819d52fccb1afa6edfbfc8b1d7d161ff

SHA1
6a48b298837b0566819b1ed7c82228fd7466e06e

SHA256
61fb4967183d1bd01974748b301f25bc7a38e14cecd87f5b843abaf8938f6421

SHA512
c81579d4609cbb3ad023a4a1fe289451b04ca2ce3baeace24b47fda7225cb1a1b1c90409d2e900efd6e6fd26ce46b8370bb1db521d5917fa430ef92962e6af79

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
154KB

MD5
f0c75d62cffcbc0c8e14143195036ee5

SHA1
cc82030090a22112fa5a07ddfc63544947965df7

SHA256
06f3d5f5890b842cfd7547764bd961cc97cc2d1a0afea6cc4d7410acf8496108

SHA512
7ce23a21cbfc5af11ce32df9ce7811e6d88e31d8c583432f364841dcb160969850696da31fea7ec85443defb4afdd93cb460e22ea90d2538a56af2c221813a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
eb56cf9c203e4ac853db89b4586c64f1

SHA1
86c5bdaf6471868112f2a3a03256e65954393411

SHA256
9a8da37fa879139415c2635fe054d4efce84ddcdcf5c74a823358b468c94dc23

SHA512
e0327053bfae61d806e51d7ce0092f5844a0092009214bfc328bc8ada87f871de8392b6391f0c3bf38b438f2998aff17ad65dd14c80dc054898873d60b543c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
125KB

MD5
a2f213e25b0b765bd110bfbd848168b4

SHA1
54007a4b4fe457e5af261a5272f1329024b26be9

SHA256
434ad3e6c1a5b0863d1a34929e4752904ac9772117cc672ab4b95eb4b092a2c2

SHA512
daa8e4d2773ab7b99d507077e6a31fb549f979165522b05d35dafef278c3f0d35a0b0496db9221e466ff9331cb5d050b7d0bafb176d683036e3ed55ca1d3d3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
218KB

MD5
c950fc943cdd311510c462cfdc3f7a63

SHA1
baefbab16e51edbb8840a4ee868aaf6ca8be54fb

SHA256
fc1d2d3d5b66f80d75fae1f3be3ff1bd8637ce0cc9dba13e2e3a64ddd5752468

SHA512
cbda41b0ed1f6ca78732b64a836753c062b66619c735b7cd12f05f4c3369e751ee76a2fe38edb367bbf52036aff31d67f2ffac1515e58bcba02fc5625e8aa0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
80KB

MD5
efd3e8ece5fb8504788f3693d38dec72

SHA1
92cd1f33f5134e54e6cbb82ae4688d9178c731ee

SHA256
06e3e40533ea2a7520b33c0748e743203dbb2f62aa967c1c99a13eb3c0a8dfad

SHA512
17b7bc8e26745b46943b423004f53b3c44e10356255ad8eb1f1d0397c5a4110e1a3692f6192932dbe8afe15a6561790ef749e61cac0f19a1ff2d6631da6b3394

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
897KB

MD5
41755257b323f3dc7390efeb23a64412

SHA1
098a0f2eddb385cfa9524566efcf5f0dc21e3ec7

SHA256
6e272becf32f5d2befa733ad6f342d142e19505886d930457e0fe6452b4bf4a3

SHA512
b162e09b4d6de619882c5250bf11d57dedfadc569a2a9409517ae3db3d1fdaa6f13104b8a63c5cbd7bcab7f2e7c7c96543b2c6276d717fb3225429980650cdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
321KB

MD5
320e326c4cc2c37ff4f0b6c3ac76242b

SHA1
d57a097be9c95995d687df3d5227f89cf00c4a5d

SHA256
7e4de10530a54334f11dcf91d594fae1716299f00bc813f5c2894190aaf19b2d

SHA512
34711907baa85b198c86fa22a58a81fd232a695020eb1a53d8d5eaa41eecf977d91127a286de89d02c4d36ce276e3370f83d7ce01870349d221a17590c3c7741

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
75KB

MD5
1e84cdab97a9bf817c6740f4ae651ac2

SHA1
ccd16e76ad60c4dd3bb0d8adea820aed85fd2723

SHA256
a6f63941bffad185d143265be6ae361c3938a866be4c769b26515dc0e63f4d88

SHA512
15d1a427139429204d12d12db155b8b4bcfb357c9c4d0df867b3183335f4ff09e31c9843b2e5f61d8af0169b891daee7e7eb66125f1e866efe04a481cedf6207

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
99KB

MD5
523cb1d0486de70602569b1ea9ea2833

SHA1
7eb47a5af8b867b053f1d4fffd20243860a53576

SHA256
5bf80d8f1eef6365df5bfa76d704974eed577e3425c6a7402176b34f81bba2ae

SHA512
299080ec848b5310271c35816cca78a1144b2ca53e34c3810875dccb830a6c3d9e6a48275ca7cd1d1c957dbe2f43749bfea3dbfd5dbcaf30ff3e13f0d38634c0

Download Submit
memory/624-8-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/624-61-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/624-62-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/624-65-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/624-9-0x0000000004C60000-0x0000000004CE6000-memory.dmp

Filesize
536KB

Download
memory/624-6-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/624-7-0x0000000004BA0000-0x0000000004C3C000-memory.dmp

Filesize
624KB

Download
memory/624-5-0x0000000000110000-0x00000000001FE000-memory.dmp

Filesize
952KB

Download
memory/856-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1208-67-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1208-0-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1208-60-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1740-21-0x0000000000D00000-0x0000000000D5C000-memory.dmp

Filesize
368KB

Download
memory/1740-23-0x0000000005530000-0x0000000005554000-memory.dmp

Filesize
144KB

Download
memory/1740-63-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1740-22-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/1740-24-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/1740-69-0x0000000075050000-0x0000000075800000-memory.dmp

Filesize
7.7MB

Download
memory/2432-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3332-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download