azorult | cc7ad13e36e3edc44ed09ca4eef9020ddf4d2d5bc13e034e87547c942ec2e40e

Analysis

max time kernel
22s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20ce4a429d0e12094d6dc8ee6bb248c9.exe
Size

3.1MB
MD5

20ce4a429d0e12094d6dc8ee6bb248c9
SHA1

02afb69fdb3f964628c6d3b20c152b1498c80912
SHA256

cc7ad13e36e3edc44ed09ca4eef9020ddf4d2d5bc13e034e87547c942ec2e40e
SHA512

05a43cd70fe5ba18717bbbff10c8c556b0e3736017498a6ee24f0917f681dd535947150d2dac834184229451073a5d0fd33e7334f59f97d0b0386add588b8b78
SSDEEP

98304:BdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:BdNB4ianUstYuUR2CSHsVP8x

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2216-37-0x00000000007A0000-0x00000000007D3000-memory.dmp	netwire
behavioral2/memory/2216-42-0x00000000007A0000-0x00000000007D3000-memory.dmp	netwire
behavioral2/memory/2216-48-0x00000000007A0000-0x00000000007D3000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

4340 test.exe

pid	process
4340	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/928-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/928-66-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/928-75-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5044 2216 WerFault.exe svhost.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

test.exe

pid process

4340 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 4340 test.exe

pid	pid_target	process	target process
5044	2216	WerFault.exe	svhost.exe

pid	process
4340	test.exe

description	pid	process
Token: SeDebugPrivilege	4340	test.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

20ce4a429d0e12094d6dc8ee6bb248c9.execmd.exe

description	pid	process	target process
PID 928 wrote to memory of 4572	928	20ce4a429d0e12094d6dc8ee6bb248c9.exe	cmd.exe
PID 928 wrote to memory of 4572	928	20ce4a429d0e12094d6dc8ee6bb248c9.exe	cmd.exe
PID 928 wrote to memory of 4572	928	20ce4a429d0e12094d6dc8ee6bb248c9.exe	cmd.exe
PID 4572 wrote to memory of 4340	4572	cmd.exe	test.exe
PID 4572 wrote to memory of 4340	4572	cmd.exe	test.exe
PID 4572 wrote to memory of 4340	4572	cmd.exe	test.exe

C:\Users\Admin\AppData\Local\Temp\20ce4a429d0e12094d6dc8ee6bb248c9.exe
"C:\Users\Admin\AppData\Local\Temp\20ce4a429d0e12094d6dc8ee6bb248c9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      PID:3328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:452
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        
        PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 316
        5⤵
        Program crash
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:4224
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:5072
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:4460

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2216 -ip 2216
1⤵
PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
1KB

MD5
fc008e1af291be684bb643b3eb6fb7bc

SHA1
c577ca1995e3a9590f8a6fa86400b8e8c9bdd597

SHA256
6d6c61f6616505f6db574c691f08b3676915124b2f15f4de672cf234e96ff739

SHA512
cbfb84c1f5f73c29ec1e89bae854d5b0bf6d42ad26a04f4ae0cd49e213b94651721f919375d95dfc61b190dd7abcaf7fb97ffcb812961045c65973ff6d87f100

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
41KB

MD5
93d88b5d9a3961a0f7755b475f50c286

SHA1
7f04a8c4c0da0d9faa8d5f871c31a049be1d2c1e

SHA256
993fb544be708989e4290f40969e3daf7f048c2fa67cbe1a9ab1cbd00f568935

SHA512
1e6745ad61e90b7f9e5d0f4aa5f83344cadc31e6ed5f2ae32fa3e92c2d5642d61013e95ef8899a993e49240091e5469b6e16e819b56e0b30c8b36b53c360f2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
32KB

MD5
a1ee29bdb4c162cabb99fa3884ed9f7d

SHA1
55efc9ead2f55a5d5573d05ecdd6f2760465ef21

SHA256
4d2af31bf46d271a2182f7702c4d5d4a7d7c16644502bbb7dadb96950de28d52

SHA512
4af8c80d317232567801f7fa06ca439f203f8b50bbc11484f4c313287268a386c8c6b4dd637a1f8fac90663e357fede5060f665cd8b6f69b2beffa05cda55874

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
5d12c8c00f498884f300973f9bcf9003

SHA1
25ddeeb5074cbb82483216fb940b43ae625fe5c6

SHA256
8a5338f1551fbe70d246cd7d7a45c353477bcf74c2ef64530cc43a77d80097c9

SHA512
d05b886170a8b011bfb94a7be284279637718134a7e51b618e768f58f13276ed12083757a68f9e5fe9760e44f130d2a5ca6926f91c861b543eecb67600d66616

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
11KB

MD5
6b096921bf3f245a9c7ad2c5f67d7d4e

SHA1
790088fe4b6dc064d241eeebf2b64a8732fcf365

SHA256
e60e153523f18ec3f76279c1d42ae2d0fcb2145b5d2946a3f2f1f1c701a17f1b

SHA512
dbd492c7358f93a475a095df1bc48cafbaa063665f2ed3cd7b3310a89439b5c34fcc5ef952c5258498584f8a7415c12eb41c2bdc5be93f302e8cb99f25d64873

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1KB

MD5
fc47627179ea5dd82defd184ccb6d8e4

SHA1
3e14d19ba68cba9c774874c184e3286fa59e7b84

SHA256
c8a5ec776cd16b083813e80b644ca5aec395f1460e139ea7ae3f0b90120a05a4

SHA512
77abfa24e36914d2891d68e1212a9717972015f4809f83f68c81a2d35fb596272860908bd36a518b436455ed9c67d0b85d8fe7f9704d8d8cde3134e1f0f5ef1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
18KB

MD5
9cd04b598421eb9b1a6efe50398820ec

SHA1
5e17c20e1f2ccf499b5e87fcf32e4f1c16cf44af

SHA256
d887bf8f33476e5a1f2faf8a6f4124527793d2e75380a00b20057f326d0c65d1

SHA512
e2b19280cabe853c0ee5c091fcaf539ca652bf0f8030f9ea8b571ff7a49afa3f25466d40b937262907def3114d11c71a9042de81fb44f91195b26fece9180525

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
34KB

MD5
439bacade7881cfae21ff3ef5b60ac9a

SHA1
553d2d46e500b05a53d62f959fd916b8bf99f5f3

SHA256
2a59be8c1cf3c2d8c2dd96818c3bddb02c18c427b8e95e5b798f23a807c074b1

SHA512
1d8998b6e6c79ee527264763ce7f3bd4120d49c8f3637ab58d1ef99600b348b91031984fe358ba2339bd33639ed332e19591b015b1452126f2ffe60ba58421d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
1KB

MD5
3ce51f0d466fa4a25311a3c9f259309b

SHA1
3bc8dae33fce32ee569e52319689b66432d4d53b

SHA256
90a7d05973c8c659711d4ff6a3e49e645054c4d404fa35b582a2f51dce3d2c7f

SHA512
a1d7a175eba2ba87f53d5e4e1c67af344534e153cd0f51213c9b460952cca5e968d7b08df1bac6d74cd96df86f4cb78a1495eaad7466c563b2c0b007a49e9da5

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
92KB

MD5
45287d8d9eb92292911e8785c55ed1c7

SHA1
5d389552f119e70c6148b049d9f0c305a7a2b323

SHA256
ae13f11e6f5961e6f1c24f023404ed24aa023bc1e4c1b5c28a5c9a0d5e499930

SHA512
ed2d5a10b53ead466e0ed10d88145f10e0113df005816660c70ebce6ffdcc3b4b61c5eba294e8f05f4f7399fc03428009d48471ec7af164683dc2ea0b12e6476

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
5KB

MD5
ec424f5b792cee9b2c04c76e59aa01ea

SHA1
547462611a82ca585d7f5b2ad01de4277ad7252c

SHA256
98f5c508763beb96a3be158df0ff1bf19ebeac2ef04ac826435dbcf36413205b

SHA512
d04c1474542770b29d4be652e5d72bda71e4e4790eed278c05e86604c4e1858d36715fc1b72204d1332fe09a754b67b39ff77d161eec7686a32cc0fba70e29c3

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
4KB

MD5
b40992fd4545ac85c8243578821944b8

SHA1
c04cba3358af322029ebe395211774ebc117e7fa

SHA256
eecf9ce3f99b366e1bdb4c7e5a1b887c91a5da7e21363864d00865909efc33b2

SHA512
049ba9c9ca90c64435bcbed6c1569f3de69d99e77b039ac039047ed0e3b4f84e158473f8bcf576b8b5138cbd8f81255a3feaab216aa4882beeef1a3ba756e5e6

Download Submit
memory/452-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/452-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/452-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/928-75-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/928-66-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/928-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2216-37-0x00000000007A0000-0x00000000007D3000-memory.dmp

Filesize
204KB

Download
memory/2216-42-0x00000000007A0000-0x00000000007D3000-memory.dmp

Filesize
204KB

Download
memory/2216-48-0x00000000007A0000-0x00000000007D3000-memory.dmp

Filesize
204KB

Download
memory/3328-22-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3328-73-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3328-70-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/3328-21-0x0000000000960000-0x00000000009BC000-memory.dmp

Filesize
368KB

Download
memory/3328-23-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/3328-24-0x00000000051F0000-0x0000000005214000-memory.dmp

Filesize
144KB

Download
memory/3536-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4340-9-0x0000000004B10000-0x0000000004B96000-memory.dmp

Filesize
536KB

Download
memory/4340-7-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

Filesize
624KB

Download
memory/4340-67-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4340-69-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4340-5-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4340-8-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4340-74-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/4340-6-0x0000000000070000-0x000000000015E000-memory.dmp

Filesize
952KB

Download