azorult | 81367795956e95f29bc717f98bbae4e5a568badb8226aafa08774156df2b129f

General

Target

371268663c923cffb927f6a5d151ff56.exe
Size

3.1MB
MD5

371268663c923cffb927f6a5d151ff56
SHA1

f009c7ae7ff41fcdeda11dcd0323d3a38a026718
SHA256

81367795956e95f29bc717f98bbae4e5a568badb8226aafa08774156df2b129f
SHA512

4ac459dc845ae3cd69ef0e2591fb3f26e16a54b1cfd2a913fd2691f64612a6858b34cece03613536f26310516b850bbcc222fc091bce8feb415bb985f92ac16d
SSDEEP

98304:QdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf83:QdNB4ianUstYuUR2CSHsVP83

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2772-48-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2772-52-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2772-65-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2772-64-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2772-61-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2772-57-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2772-43-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2772-83-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 5 IoCs

Processes:

test.exeFile.exetmp.exesvhost.exesvhost.exe

pid process

2248 test.exe
1320 File.exe
2892 tmp.exe
2728 svhost.exe
2772 svhost.exe
Loads dropped DLL 8 IoCs

Processes:

cmd.exetest.exeFile.exe

pid process

2352 cmd.exe
2248 test.exe
1320 File.exe
2248 test.exe
1320 File.exe
1320 File.exe
1320 File.exe
2248 test.exe

pid	process
2248	test.exe
1320	File.exe
2892	tmp.exe
2728	svhost.exe
2772	svhost.exe

pid	process
2352	cmd.exe
2248	test.exe
1320	File.exe
2248	test.exe
1320	File.exe
1320	File.exe
1320	File.exe
2248	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2216-1-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2216-78-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral1/memory/2216-82-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

File.exetest.exe

description	pid	process	target process
PID 1320 set thread context of 2728	1320	File.exe	svhost.exe
PID 2248 set thread context of 2772	2248	test.exe	svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

test.exeFile.exe

pid process

2248 test.exe
1320 File.exe
1320 File.exe
2248 test.exe
1320 File.exe
2248 test.exe
1320 File.exe
2248 test.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2248 test.exe
Token: SeDebugPrivilege 1320 File.exe

pid	process
2248	test.exe
1320	File.exe
1320	File.exe
2248	test.exe
1320	File.exe
2248	test.exe
1320	File.exe
2248	test.exe

description	pid	process
Token: SeDebugPrivilege	2248	test.exe
Token: SeDebugPrivilege	1320	File.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

371268663c923cffb927f6a5d151ff56.execmd.exetest.exeFile.execmd.exe

description	pid	process	target process
PID 2216 wrote to memory of 2352	2216	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2216 wrote to memory of 2352	2216	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2216 wrote to memory of 2352	2216	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2216 wrote to memory of 2352	2216	371268663c923cffb927f6a5d151ff56.exe	cmd.exe
PID 2352 wrote to memory of 2248	2352	cmd.exe	test.exe
PID 2352 wrote to memory of 2248	2352	cmd.exe	test.exe
PID 2352 wrote to memory of 2248	2352	cmd.exe	test.exe
PID 2352 wrote to memory of 2248	2352	cmd.exe	test.exe
PID 2352 wrote to memory of 2248	2352	cmd.exe	test.exe
PID 2352 wrote to memory of 2248	2352	cmd.exe	test.exe
PID 2352 wrote to memory of 2248	2352	cmd.exe	test.exe
PID 2248 wrote to memory of 1320	2248	test.exe	File.exe
PID 2248 wrote to memory of 1320	2248	test.exe	File.exe
PID 2248 wrote to memory of 1320	2248	test.exe	File.exe
PID 2248 wrote to memory of 1320	2248	test.exe	File.exe
PID 2248 wrote to memory of 1320	2248	test.exe	File.exe
PID 2248 wrote to memory of 1320	2248	test.exe	File.exe
PID 2248 wrote to memory of 1320	2248	test.exe	File.exe
PID 1320 wrote to memory of 2892	1320	File.exe	tmp.exe
PID 1320 wrote to memory of 2892	1320	File.exe	tmp.exe
PID 1320 wrote to memory of 2892	1320	File.exe	tmp.exe
PID 1320 wrote to memory of 2892	1320	File.exe	tmp.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 1320 wrote to memory of 2728	1320	File.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 2248 wrote to memory of 2772	2248	test.exe	svhost.exe
PID 1320 wrote to memory of 940	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 940	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 940	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 940	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 1968	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 1968	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 1968	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 1968	1320	File.exe	cmd.exe
PID 1968 wrote to memory of 2200	1968	cmd.exe	reg.exe
PID 1968 wrote to memory of 2200	1968	cmd.exe	reg.exe
PID 1968 wrote to memory of 2200	1968	cmd.exe	reg.exe
PID 1968 wrote to memory of 2200	1968	cmd.exe	reg.exe
PID 2248 wrote to memory of 1588	2248	test.exe	cmd.exe
PID 2248 wrote to memory of 1588	2248	test.exe	cmd.exe
PID 2248 wrote to memory of 1588	2248	test.exe	cmd.exe
PID 2248 wrote to memory of 1588	2248	test.exe	cmd.exe
PID 1320 wrote to memory of 2448	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 2448	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 2448	1320	File.exe	cmd.exe
PID 1320 wrote to memory of 2448	1320	File.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\371268663c923cffb927f6a5d151ff56.exe
"C:\Users\Admin\AppData\Local\Temp\371268663c923cffb927f6a5d151ff56.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        NTFS ADS
        
        PID:2448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:940
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2728
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      NTFS ADS
      PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:2772

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2200

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
92KB

MD5
e0addd280f5d08e98cd28190db9ff173

SHA1
762c35240c806485d936103716991ec518edb973

SHA256
fc941645429189b502848d70bff0cff94e0391af5295e571591c23cb6099e67a

SHA512
e087b75a77c10f0849633ddb2f2f658388580f19b1dc9345c79d41ef14eda18dd8b70017d180612cfa8a6461d332be3cdfce850d2c2f14a4b408a69f94b7de81

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
105KB

MD5
43015d920fcbe2822c0585280c87dc13

SHA1
b39a20389dd0bf8f726fa9a319d120866154eb95

SHA256
23e6923f8a21c6383832c988e05af765da28c6eb76f2b799fb23de5a212f6525

SHA512
ecff9441a133b11e7402e3417b9f6b962e2c12aa49d197706bfa238716856213509c129f74abc15b79b0d1ea3c0a015e6322a06f0a4e446fdfb4c3a69cf2c499

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
105KB

MD5
f2b45225eec8591f4bb353250287751f

SHA1
c75128f549bd2d91d64ddc79aa811360f27f779d

SHA256
471ab0d474d08927a92140e6870248757cfe420bde7dde60883bcdefb227932b

SHA512
c0116cfbcfc58f63e601725a87e1edfdf4f218f6c99935bb67df2000edd05b9727c209706220b88939485b2abc21bf699bf597640821d95ab334e86024fdabfe

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe

Filesize
931KB

MD5
836cda1d8a9718485cc9f9653530c2d9

SHA1
fca85ff9aa624547d9a315962d82388c300edac1

SHA256
d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72

SHA512
07ca078d79f622706d08a534f6b5e2c896152fb0d0e452781fa6be5dc90028fdf074b3b78acac438f2acf5b3f5522e70afb7db4551874a3083860213e2790481

Download Submit
memory/1320-80-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/1320-17-0x0000000000660000-0x0000000000684000-memory.dmp

Filesize
144KB

Download
memory/1320-19-0x00000000042F0000-0x0000000004330000-memory.dmp

Filesize
256KB

Download
memory/1320-18-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/1320-16-0x00000000009F0000-0x0000000000A4C000-memory.dmp

Filesize
368KB

Download
memory/2216-82-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2216-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2216-78-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2248-5-0x0000000000B40000-0x0000000000C2E000-memory.dmp

Filesize
952KB

Download
memory/2248-81-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-79-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/2248-8-0x0000000004170000-0x00000000041F6000-memory.dmp

Filesize
536KB

Download
memory/2248-7-0x00000000049D0000-0x0000000004A10000-memory.dmp

Filesize
256KB

Download
memory/2248-6-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-50-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-59-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-42-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2728-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2772-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-43-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads