azorult | 4fa775094435e218e2b5917f6bb4b33355ee682187f898131ea5b2ac133cbdb6

Analysis

max time kernel
0s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27d704c5c2566f86ba698e7f58f06232.exe
Size

3.1MB
MD5

27d704c5c2566f86ba698e7f58f06232
SHA1

e2c4812488e78fd9279a87385a4916d19dd8ba11
SHA256

4fa775094435e218e2b5917f6bb4b33355ee682187f898131ea5b2ac133cbdb6
SHA512

c14b52d76130ff6673b3d02011077479b301e75a2208cec5ca500e83946c2a4662074c31fdc01c09fe263a72833c3c514842eb6627c71ae365295a6cb819d72a
SSDEEP

98304:CdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf85:CdNB4ianUstYuUR2CSHsVP85

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3184-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3184-32-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3184-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3184-68-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

556 test.exe

pid	process
556	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4556-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/4556-59-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/4556-65-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

test.exe

pid process

556 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 556 test.exe

pid	process
556	test.exe

description	pid	process
Token: SeDebugPrivilege	556	test.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

27d704c5c2566f86ba698e7f58f06232.execmd.exe

description	pid	process	target process
PID 4556 wrote to memory of 2516	4556	27d704c5c2566f86ba698e7f58f06232.exe	cmd.exe
PID 4556 wrote to memory of 2516	4556	27d704c5c2566f86ba698e7f58f06232.exe	cmd.exe
PID 4556 wrote to memory of 2516	4556	27d704c5c2566f86ba698e7f58f06232.exe	cmd.exe
PID 2516 wrote to memory of 556	2516	cmd.exe	test.exe
PID 2516 wrote to memory of 556	2516	cmd.exe	test.exe
PID 2516 wrote to memory of 556	2516	cmd.exe	test.exe

C:\Users\Admin\AppData\Local\Temp\27d704c5c2566f86ba698e7f58f06232.exe
"C:\Users\Admin\AppData\Local\Temp\27d704c5c2566f86ba698e7f58f06232.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:556
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      PID:348
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:5004
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:4776
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:4164
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:3184

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2928

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
1KB

MD5
fc008e1af291be684bb643b3eb6fb7bc

SHA1
c577ca1995e3a9590f8a6fa86400b8e8c9bdd597

SHA256
6d6c61f6616505f6db574c691f08b3676915124b2f15f4de672cf234e96ff739

SHA512
cbfb84c1f5f73c29ec1e89bae854d5b0bf6d42ad26a04f4ae0cd49e213b94651721f919375d95dfc61b190dd7abcaf7fb97ffcb812961045c65973ff6d87f100

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
36KB

MD5
dc52a44236ea470f1fc9ff41e2a66541

SHA1
b03f3313270a6d9a643d3d256a0ccaf5c114c08c

SHA256
180b13a0680318e63f5a0b0d7a3dc5ba6a632196ef16ca3cc5d60f6796a7c1c5

SHA512
07fdc59a18ef725f828497f14364e8f9cd0fa3819f178fc9b14a4889c94a235656bad6732a7a99141f21c0d679cc55c785fec3dd9fc2bf4f4c62ab6c6bd61b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
27KB

MD5
3e608762c5a749bfe3c03ef725e1b444

SHA1
d687876acbde0b356d4f2b808158e4486ffb28ee

SHA256
1939c3ced4ed03ebce9239b0ffbaeb80e08682fe8f0f878004491bb74a1c55ff

SHA512
bdcf7255b75248fcfd6ef3ffa206f0d515e7ab2f237edd7a6ec25b50e8075bb458b2e8a2ac5988996c9b549c43924f021bd9182d9dba0e773235ed385d81635e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
1896fe6e86bbfcc436d9655f215e55bf

SHA1
7e315c74fc9299e8cf6fc9296652bbce3c1ef4a0

SHA256
3c32c7657a66827cf3d17743fa91352a5523e313018c3b48e6c57f8a68a48d0b

SHA512
083af34d24947315de32050282dd038a24d44c61346150c5331a6c0c0ca1927fe51f58c1e4ba757501bee96378b66d6e702a86b36eff4bdc218af409305e31f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
39KB

MD5
842b847d073cfccc1af2ddea77cf3e95

SHA1
254054c04cb26cee62abb8a037170f511ce2f024

SHA256
484960f3919314aed98f22e0606414b5d236933421b80cef52898848d11efb82

SHA512
29be4f70c1ce1e921538ad23b2b6b64bdec41480faa7a61136125d11a05f839f4b980f871905e74a7bd8937a0f375aba9890a997408ca8729b19788f720c7f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
28KB

MD5
70b37bdc33833872ce73ae4417292321

SHA1
1f5fddedadeea73f01382b16d79ae1ab42240b92

SHA256
1a3167dfd89e54d86e20bffa24be866e892e789f96a7f3191f0b3781cb708b50

SHA512
812b1ba204ba559292af7018463e304a96cbbbc14d5bd98ac1be26d8cbba22591a3a127ef28243e62048bc0afb5990738bb4b9acc4d4763438355c4c1efa796e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
9KB

MD5
f6d79cca4b6ba6b5d5dbafc82fc02ac6

SHA1
9ac5ad26605669b4b5075895486bd3dd4d393cde

SHA256
bc1dd8bd6540f3d2b2285fdb457d0e6d73bf80984e7fc41a0a3ccd7d5b77499e

SHA512
fac28f732d9666f4b493064e1530079a3ae8d2b965b446323d03d3e2ab3c7406dc69fee1da34f42839e1c8d6079251ed8776b19f13f7d40ec2ad6999d84303fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
30KB

MD5
5e5863c4fd579403c54758bc960a01e7

SHA1
0cbb2818e64da219ff0c409f50e20bd891137d94

SHA256
b40fbe1b7b324bcdd763b53f11b2fa56caad025c3f3480e44dafec38a8945ecf

SHA512
e88cc74bbeb1359c64580a00cc72a7c8c1f0cbf5f8d2bc0e5b74aa53c1093429ba07b24b952d497e33207f03f827f7b5d5b465b4cf18582c2bfe5d6ce7942034

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
57KB

MD5
fea0dbd904ac47b84a2fb82a2677c8f0

SHA1
3c4ea362fef9cdd0a9c9a76cfa12f1da61a1a46a

SHA256
ba9f3a4b68425611eadd30555190b6da5982a9beacd2de853a6d63a5c92438d5

SHA512
192ef496af1860bd571d65dbc033500ba35c69657fa2b917de6b8e2dbbd91e17f3f42fd8c2b3d2c95b7708558e557a97374e07c6b1de89a1bad14e1aee2d6556

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
78KB

MD5
2cc5d84e24c85a6cff451062098387be

SHA1
6cd7b4b2d9048bb8c743980b22769f9dd824b0b9

SHA256
19f760e9184762085c949d4e6df659cf4cac105144a552eba1ff3f9265675222

SHA512
cd42819b7162b7186bc21ec4cefdca91e03d03c540c54d7c01b967144c3034230938fdfaffc257ecf9b64def8108ae254d4e50117f7650528eceec6b1b3bc0d4

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
30KB

MD5
f327e3b5b9ca0ec02aac5fe71c4a0848

SHA1
4e760e0374b33616c29cfd42d78bfaf040f3b12c

SHA256
1a80e2806d20dbdcfd468e4805f768de83c923ee4d0d2b58af7787f32f32824f

SHA512
6f09ef06bfb0599807f80d8e48dfe16ad3fc89236c1c056c7fb67af466cda1fbaf3d9d13b1e6ad43dd41eafb69d356fcdbbed47b1d6dcbc5f5df2be01f6a7747

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
1KB

MD5
18b9d3f54162c47c84059a0c8828c35f

SHA1
80d2eb70f325b6de231d5eb9232ca4a5ff8051b5

SHA256
70d55029d146879d4f5871397ac2e06efb67a27ac67749ca96ccd8317f17ecf5

SHA512
89c88d013766df97b9a7e6833a39e9479e102dd934b8e90401d5f9d28c548fad17cb943ea72ede518c22af70e343c6e1eed67509453f3e522ecb3ee8297884a7

Download Submit
memory/348-62-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/348-22-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/348-21-0x0000000000B60000-0x0000000000BBC000-memory.dmp

Filesize
368KB

Download
memory/348-23-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/348-67-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/348-24-0x0000000005400000-0x0000000005424000-memory.dmp

Filesize
144KB

Download
memory/556-5-0x0000000000280000-0x000000000036E000-memory.dmp

Filesize
952KB

Download
memory/556-64-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/556-61-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/556-9-0x0000000004CC0000-0x0000000004D46000-memory.dmp

Filesize
536KB

Download
memory/556-60-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/556-8-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/556-7-0x00000000028A0000-0x000000000293C000-memory.dmp

Filesize
624KB

Download
memory/556-6-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1648-48-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3184-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3184-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4492-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4492-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4492-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4556-59-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4556-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4556-65-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download