azorult | cefd36ee2214ee653970bf2c64fd35a7c0172d3bf6345a2889a9d962bbbd5313

Analysis

max time kernel
1s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0866212f6a4ce7d50eaff458c9ac80ea.exe
Size

3.1MB
MD5

0866212f6a4ce7d50eaff458c9ac80ea
SHA1

9aea3c9cdf3a829fa6eeaa4c89eca425420bbf24
SHA256

cefd36ee2214ee653970bf2c64fd35a7c0172d3bf6345a2889a9d962bbbd5313
SHA512

2b7cd8835a479aa8b61996e16e881ea0c3012660ed73b7180714fffecc311c53fd8ccfd3e2b70ae9b2e9314e70542287037d57962c1f2cc5ca0e43dcecc71ff3
SSDEEP

98304:OdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf81:OdNB4ianUstYuUR2CSHsVP81

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4684-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4684-31-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4684-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

test.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation test.exe
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

228 test.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	test.exe

pid	process
228	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3424-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/3424-59-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/3424-64-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

test.exe

pid process

228 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 228 test.exe

pid	process
228	test.exe

description	pid	process
Token: SeDebugPrivilege	228	test.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0866212f6a4ce7d50eaff458c9ac80ea.execmd.exetest.exe

description	pid	process	target process
PID 3424 wrote to memory of 3816	3424	0866212f6a4ce7d50eaff458c9ac80ea.exe	cmd.exe
PID 3424 wrote to memory of 3816	3424	0866212f6a4ce7d50eaff458c9ac80ea.exe	cmd.exe
PID 3424 wrote to memory of 3816	3424	0866212f6a4ce7d50eaff458c9ac80ea.exe	cmd.exe
PID 3816 wrote to memory of 228	3816	cmd.exe	test.exe
PID 3816 wrote to memory of 228	3816	cmd.exe	test.exe
PID 3816 wrote to memory of 228	3816	cmd.exe	test.exe
PID 228 wrote to memory of 4208	228	test.exe	File.exe
PID 228 wrote to memory of 4208	228	test.exe	File.exe
PID 228 wrote to memory of 4208	228	test.exe	File.exe

C:\Users\Admin\AppData\Local\Temp\0866212f6a4ce7d50eaff458c9ac80ea.exe
"C:\Users\Admin\AppData\Local\Temp\0866212f6a4ce7d50eaff458c9ac80ea.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      PID:4208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:2072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:2716
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:4008
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        
        PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:4684
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:2784

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:4800

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
133KB

MD5
ab974195b1e1e9a548aee18b08419637

SHA1
0a0f33d08ae0535d23e43ffd994a8c95139d9545

SHA256
ae2d573172fd8f3b3b3a916af942629a4fe1c1c24e8ff670d47b09d5646df21e

SHA512
b9e3f7b7d28c120521c261146d97421bbf91315311910ea41ebc39082673111f9c85912c13197558aedb67248eef26688342f7abd3814cb2d541e4a4fc1b5d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
111KB

MD5
a53c45510972423286e77844f0a840ed

SHA1
800f7e48615067162855d7cd1c3d1e16dcf86978

SHA256
3802acbf67ee21af1685b0f440d39aa00ccdc8288ab510ac87801b48fc2194d4

SHA512
4e8abcce96854a3e24bb6adef27b137d95a0ff7dd8cf43a6020bf01b9bc3aefa70370559f966354da1396ff9633c641b41c24417b88e15a6691751a34892bc1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
158KB

MD5
3664c49929aaf9a26f5111815836c782

SHA1
753d2fdef24e6ffc661e7376795378cf5ba7349d

SHA256
1f928c49efaef07e413f5c26859aa58d719145593aec17b0fd815e77ae6bdae9

SHA512
16794d9b5f54f2784f3f22ee940d31175de0befd8b422021aec098059133ccf7f22d4a48e4d6a6f37c2b8588769efebc8e8dd2503e379df8ce4e242a6b7ad7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
92KB

MD5
6a111f1504d3d9beb081c1b0d6bbc772

SHA1
a0130c2f58418f5986f5c3253141e58112860e8c

SHA256
e94a2d25463de7e861c1e663b6d2fa954182bd280c00c09f469b10921be88f82

SHA512
573a670fc9081bc02a8e50cc445ffb8b1ba8ed4d1f68c4b311f2daaac3fb2b296fa5c86810789fb4193a3c7a1e9760f0f795c97dcb93235fb3532961fd8c4572

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
43KB

MD5
513e7b215e85ba823a310aa2d53ae104

SHA1
9793fecc367089fd358640c405c6d07570b83f63

SHA256
f95da69e6f10658a79d5b572232d2a9a16ac67d175aa0e2b007a553bd3e3f356

SHA512
18d827c910104e73efaaf19107f2ef643386ab622422ccaa4752ae178c2f61e677a2205896b37a25eda3e8ed1f2eb74efbaf943abe3168acfa864461e83623bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
4f89f7b420bef96c4f1101ee972c722b

SHA1
b5960b7e33fe3da87955c2f10006a68c88068654

SHA256
d7b66baab390e4b8fecf9b6a84fb9a8b1c1709f66baba617e80a638ec7d0eda6

SHA512
b3c81b742c3f13c578dfc339065d3a5abd74a02ec19854c75c04f8df4cd588b97193be066783257ec7294805a97d08c977fe7f1bed280e4848837d28df177ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
35KB

MD5
2d8e8790157a9432cd5675461104ece1

SHA1
c5d50da3c932798d875ba4c926cc64ab371604e6

SHA256
f1a6bada8fd437407b45195a2afcadffc0812aa3600f9464da6bd51e4fb9afcb

SHA512
ffcf009dc4e9dea2f94fe863654725dc0544495c7597c7e1c6456444a1236160ee10f2c7d205a93c112d185065e24858a1979de51fe0bbaa108da3f367692829

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
17KB

MD5
9f12cb18b9ba73e7d39ff555f30d0b29

SHA1
73d1c5e0fb7a9b39e31e6e18f4525aa66e25d26e

SHA256
8aeabb11dc4e595131917ead96d2d22f49a3c98df2722c4e46eaeaf88ec4d694

SHA512
b774113131ba7b9343e64342cbd9dff13a573d6c6b95ec6829a5e9554883e6577bd6ca64352d2c9e5660ac157f912f2d57d37f4469c78123b2501293dd5d61ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
77KB

MD5
ca3564b20be88135b36c399088f4e0c7

SHA1
61722180aa18b144655a12d7f254d74d806aca34

SHA256
0529cf52b9e6e25e0afc4f2efbaadcc35ae216349b7028c39d25f2889b327d75

SHA512
4880d19fa5a92ae536c3e3d62e3a70435c5ad46371e4dc3d34003a0cfc1d870a0d78738d4794b6e149f514efcc67bacd802fdb4f72f650bd85868fe4582ef1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
204KB

MD5
30f305d4804e38f102076e7abf682331

SHA1
759d911a0ebd2c2abd95de4c03244044a5aa45fa

SHA256
48d3882319dc7d2b32381e4cc41b7e35d7f4ea7d4b792ab1bf9442f4caf48000

SHA512
20da88cfde0d03cd812f2c61920f93e533c2dac35404fa65b15e52d06e1bf3c13c555544233397cc97727d824e41e54fd599146ca0a9d76079dd0874ca692f66

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
258KB

MD5
5305fcc0c4e51c86b6839a9761cdf45f

SHA1
e04e48eaa596e7e499be74f7109b7990d9d86f17

SHA256
da4024dcd0499cd09050db8cfa0268ed8042ee0b489d0f98f7f250c5fe2ec9d4

SHA512
961fa5726924be477760aed90d9f39912affca6bdd0dc92006a617ddc0b54f287bb083b22b8d26c4543735a05938dfafbe77c4ac7c1ab6a7dd0497b09180b42a

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
9KB

MD5
79427f7d41a51ea23df7a7ae0546725d

SHA1
ffe4803c62df3c8382cbd771da054c56df2c7a94

SHA256
013460e47392c6950800ebc669aca423598184027f4f8a5d10c0233c1fe1831e

SHA512
e33a4cb1b08343c556ca416827f26d82ff25cc1bd98e233132970c54ec74cb5bbc3aab36ff47cb8cdf18812e786f05d9da3d2d2dda6e301550debb24e5b85e3d

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
15KB

MD5
064aa17c0f6af159e29bf8ec6e9fed96

SHA1
636417e7583dd7d4b68297ac199f44630009d66f

SHA256
20431f7ffbce87f0ef83be182c0c8549a54dfea52adee842cfa1ec9c97819964

SHA512
e8ca8595c7c76cad82408a81240729ee69e94205becbe7f0c68359806fb94a6b2dc65772021f9dbb57219f03028cdf09619938bc1d49a4695868655fdf52d5be

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
memory/228-5-0x0000000000180000-0x000000000026E000-memory.dmp

Filesize
952KB

Download
memory/228-63-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/228-61-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/228-60-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/228-8-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/228-7-0x0000000004C80000-0x0000000004D1C000-memory.dmp

Filesize
624KB

Download
memory/228-6-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/228-9-0x0000000004D20000-0x0000000004DA6000-memory.dmp

Filesize
536KB

Download
memory/2356-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3424-59-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/3424-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/3424-64-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4008-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4008-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4008-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4208-23-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/4208-24-0x0000000004B90000-0x0000000004BB4000-memory.dmp

Filesize
144KB

Download
memory/4208-21-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/4208-22-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4208-66-0x0000000074E00000-0x00000000755B0000-memory.dmp

Filesize
7.7MB

Download
memory/4684-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download