azorult | cefd36ee2214ee653970bf2c64fd35a7c0172d3bf6345a2889a9d962bbbd5313

Analysis

max time kernel
6s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0866212f6a4ce7d50eaff458c9ac80ea.exe
Size

3.1MB
MD5

0866212f6a4ce7d50eaff458c9ac80ea
SHA1

9aea3c9cdf3a829fa6eeaa4c89eca425420bbf24
SHA256

cefd36ee2214ee653970bf2c64fd35a7c0172d3bf6345a2889a9d962bbbd5313
SHA512

2b7cd8835a479aa8b61996e16e881ea0c3012660ed73b7180714fffecc311c53fd8ccfd3e2b70ae9b2e9314e70542287037d57962c1f2cc5ca0e43dcecc71ff3
SSDEEP

98304:OdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf81:OdNB4ianUstYuUR2CSHsVP81

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/2188-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2188-31-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/2188-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 4 IoCs

pid	Process
4444	test.exe
436	File.exe
2188	svhost.exe
3436	tmp.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4440-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/4440-62-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/4440-66-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4444 set thread context of 2188	4444	test.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
952	5044	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	test.exe
436	File.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	test.exe
Token: SeDebugPrivilege	436	File.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2584	4440	0866212f6a4ce7d50eaff458c9ac80ea.exe	26
PID 4440 wrote to memory of 2584	4440	0866212f6a4ce7d50eaff458c9ac80ea.exe	26
PID 4440 wrote to memory of 2584	4440	0866212f6a4ce7d50eaff458c9ac80ea.exe	26
PID 2584 wrote to memory of 4444	2584	cmd.exe	28
PID 2584 wrote to memory of 4444	2584	cmd.exe	28
PID 2584 wrote to memory of 4444	2584	cmd.exe	28
PID 4444 wrote to memory of 436	4444	test.exe	37
PID 4444 wrote to memory of 436	4444	test.exe	37
PID 4444 wrote to memory of 436	4444	test.exe	37
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 4444 wrote to memory of 2188	4444	test.exe	116
PID 436 wrote to memory of 3436	436	File.exe	115
PID 436 wrote to memory of 3436	436	File.exe	115
PID 436 wrote to memory of 3436	436	File.exe	115

C:\Users\Admin\AppData\Local\Temp\0866212f6a4ce7d50eaff458c9ac80ea.exe
"C:\Users\Admin\AppData\Local\Temp\0866212f6a4ce7d50eaff458c9ac80ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:3956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:5044
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:3436
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:5116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:3440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:4712
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:1500
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5044 -ip 5044
1⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 380
1⤵
- Program crash
PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
44KB

MD5
c541c21cf8560e110d63c9e8009b0586

SHA1
501a575ba325358cc18a513052ee37ccf1db4fd1

SHA256
a7b87dbc3c2d9288d5fa60dbe4e8ea781d5d72449d40fd2d8f61fe90ea1c6a55

SHA512
96ee662209229f2ad8d8e376aac9af28a90580c590072d7646983abc9606bdaa66a85cab7c9971b0c2c524e5c2ca710f8f2f57c64f746166e9ef87023c2efdce

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
40KB

MD5
0374f3b00a6d4b1f9c4b662920e14fe9

SHA1
611e4ee282356764f8facb3d636271e16be52412

SHA256
04fe755cbced313ec9ba733807ac40ef9509018152492541c95094842217bf5e

SHA512
3db75070ae37b82e9a4cd6f442e4df1dd9e8099a6ee047b29c14438bfcb1c8127e527408d6b24eb27e6a732af208ecf0ede88ee3762886249e327f184798700f

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
106KB

MD5
a629a326d14f99236b9af7a9f57b43d9

SHA1
834dd73af3330ff688bbf79ac140b60ee3cd3115

SHA256
2437aadeffe8e5254760794f4f5626b0076e16f06effc7b91953eafc5d661f5e

SHA512
c4f9a8fd87bfe7a0ea43a1f93cba2012b93d4fc2b60386b7fd82b7d1d62690b0adcd51f880305ac297f7b03387677bba05f6586dba4334ddd6253be9700a0d44

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
206KB

MD5
3208af7118326c56a343da10ae153a6f

SHA1
cdba26cf2b58c79192e926a3834aa4a1186d55a2

SHA256
d40097b354fadb1ecab16eda0284f816beb63da3411a278e82237170b63c5df2

SHA512
855af943ebe4ab4cc30bb9024468a00274d5dcfc33ae7ccb4ee8badd1af7e79c516b5f1cd13285be6b9e588bcd00d5ed2a87fb2a0077a00ba8943a592cb5b834

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
103KB

MD5
3448e8b4396d293ef6bf57d84e126a93

SHA1
d859c9926215e46411eb34e2204a306ba73ce223

SHA256
37663686b73ab56672894206b833bbb78381255ffd285d34854c0ee030838fbc

SHA512
190ad2e3bad72411c29e3e45e25b11b2faa54da6feabf0331cb12004c41b3e556e12d5932a1e4be1ff6278d8b01b0eb4f86eb7f62200913bc4c678cf4dd64d69

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
92KB

MD5
cd9108d73b4d5646aecb9c3c510ef03f

SHA1
af976bfd5807eea1c73ff29e82de6a67c989d283

SHA256
a4c0473ee6dbb274ca61e7361f2d2e58e0b597afd6bf2542b6ece62fc1460256

SHA512
b6f388fddf294d3699b4d8dc01941fde7c83201668b25544587cdbe5511a363a0e814caf6e6fa37186a0ef438de86a1d8eafe12dcd7f87acbfc6c84ea214a4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
cf7d69887497b5c50123448dc21f75ba

SHA1
6df22c59900c4c4d409aadd7607cbf9f0f2299b0

SHA256
dcfc6bb5ca5ef0f8c56ee0da25c5053fb99f4b7b220450c600649aef6220ffdb

SHA512
882a3e6ecbaafb685f4d16d2fb77bc07be0dec76ccde62340f5d97e969c735a418390464e60cfdfd39b2655c74395a1e957b35db088af55154a943e21819eb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
224KB

MD5
49938f7ffc4b7bf2f52c26e88bc1c97b

SHA1
a28962dfec2150e7c85cbb8a9208397351f6aeb7

SHA256
606efd7cbc34b188a3ff4b7e58e413ea8a4ca893edfcb06a3d286f090dcb85be

SHA512
af37f1e73f0000365d9466d637d7cbc9601c622f799e319e1e5757d63203c37ab03d283cdbdb5a8dc4e5b3506ba3f6fcda23a26313538b82fa25d837dde24956

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
150KB

MD5
5f1568b710d57fb6cd5990ce4e18eaf0

SHA1
4f03e589b9472349fddb60b7d81c8bb10758012a

SHA256
7683503184ceb078bc8b43f64c653886627f53c1fe7a2a1fd2608c9429916bfd

SHA512
f62da00de6f38dc0f95db728ffdb902c0a936b86de97f9686861e44d4f250f4eaf23505b34b55dc407c1b89c623a69b43e7da682c8155bcb347c616e6791a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
220KB

MD5
a54209c3ebf3123900540e2b22c314da

SHA1
52151ac4de767332f3a18ca72ca431a0a21eb6dd

SHA256
c2d94c6be6368ebd8990ebf149c06b52d3009aea3d1b746fe0fe356e265be771

SHA512
047b0b7296cc51a24ac57774ebc231ec2c8688a602667e53850da0f34b43c966f8736588a99d88f5293d4cb851a07f83c2df3fa4708176eb3ec1d28120785486

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
181KB

MD5
831aeb6e6909d7f53438098014b710ff

SHA1
22a8b1951a6594393856e8f3b730ffe501558660

SHA256
0c7cdecab9602c2b50e320e8405e7cefacdcba59e14bfd58d9c02f89cb9fb4c8

SHA512
e47999c08191d6ec29d80cbc8c9d6eaf5b216c2dcc333d3405b9d13100b5e9b5a3408c7447eb885df96a07677bb0fd9c9fe3c917ce9f0de2b665c4d4a0857369

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
102KB

MD5
636b24b90ad7a8a8a20da55644c881bc

SHA1
ca77479a27478513b869dfaff9f05b118b94a7bc

SHA256
f5932b5c2b97d0465de77e640ecbe1410e2245d9e9e75f99d231b1b2e549ae6d

SHA512
44376db9f4ace09751df00bbb4b038f9d067748eb2a8eaa408431a86fbae72d578bb1d3da5fa9ff528da2313949079d11dd287721a0d7448fd86889ffef80890

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1KB

MD5
18b9d3f54162c47c84059a0c8828c35f

SHA1
80d2eb70f325b6de231d5eb9232ca4a5ff8051b5

SHA256
70d55029d146879d4f5871397ac2e06efb67a27ac67749ca96ccd8317f17ecf5

SHA512
89c88d013766df97b9a7e6833a39e9479e102dd934b8e90401d5f9d28c548fad17cb943ea72ede518c22af70e343c6e1eed67509453f3e522ecb3ee8297884a7

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
memory/436-21-0x0000000000DE0000-0x0000000000E3C000-memory.dmp

Filesize
368KB

Download
memory/436-22-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/436-68-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/436-23-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/436-24-0x0000000005680000-0x00000000056A4000-memory.dmp

Filesize
144KB

Download
memory/2188-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4440-62-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4440-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4440-66-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4444-63-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4444-7-0x0000000005940000-0x00000000059DC000-memory.dmp

Filesize
624KB

Download
memory/4444-6-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4444-5-0x0000000000FE0000-0x00000000010CE000-memory.dmp

Filesize
952KB

Download
memory/4444-9-0x0000000005A20000-0x0000000005AA6000-memory.dmp

Filesize
536KB

Download
memory/4444-65-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4444-8-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/5044-43-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/5044-47-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download
memory/5044-50-0x0000000000430000-0x0000000000450000-memory.dmp

Filesize
128KB

Download