azorult | 7d120e6aad230faf1811a9ad8876a124ae27fcafa97ddff4c1a3e7b7a19e5a03

Analysis

max time kernel
1s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

734527aaf04fdf03ec81f8886e4f1b66.exe
Size

3.1MB
MD5

734527aaf04fdf03ec81f8886e4f1b66
SHA1

8c2180f02b9494dbff83edf5e4b0e0cffabccb96
SHA256

7d120e6aad230faf1811a9ad8876a124ae27fcafa97ddff4c1a3e7b7a19e5a03
SHA512

ba8d192965a89fd3319e0ed09bdee74876aea67c8d89c8370349bf79520ed84030a557b4c76f6c27091ee4c4136dcf69a4d3851aa52b18ad7318b37c637519a8
SSDEEP

98304:zdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:zdNB4ianUstYuUR2CSHsVP8x

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2568-33-0x0000000000600000-0x0000000000633000-memory.dmp	netwire
behavioral2/memory/2568-38-0x0000000000600000-0x0000000000633000-memory.dmp	netwire
behavioral2/memory/2568-29-0x0000000000600000-0x0000000000633000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Executes dropped EXE 1 IoCs

Processes:

test.exe

pid process

860 test.exe

pid	process
860	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1960-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/1960-63-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/1960-67-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

4692 2568 WerFault.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

test.exe

pid process

860 test.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

test.exe

description pid process

Token: SeDebugPrivilege 860 test.exe

pid	pid_target	process
4692	2568	WerFault.exe

pid	process
860	test.exe

description	pid	process
Token: SeDebugPrivilege	860	test.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

734527aaf04fdf03ec81f8886e4f1b66.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 4304	1960	734527aaf04fdf03ec81f8886e4f1b66.exe	cmd.exe
PID 1960 wrote to memory of 4304	1960	734527aaf04fdf03ec81f8886e4f1b66.exe	cmd.exe
PID 1960 wrote to memory of 4304	1960	734527aaf04fdf03ec81f8886e4f1b66.exe	cmd.exe
PID 4304 wrote to memory of 860	4304	cmd.exe	test.exe
PID 4304 wrote to memory of 860	4304	cmd.exe	test.exe
PID 4304 wrote to memory of 860	4304	cmd.exe	test.exe

C:\Users\Admin\AppData\Local\Temp\734527aaf04fdf03ec81f8886e4f1b66.exe
"C:\Users\Admin\AppData\Local\Temp\734527aaf04fdf03ec81f8886e4f1b66.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:860
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      PID:4700
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        
        PID:4400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:3124
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:4076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:3152
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:3960
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2568 -ip 2568
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 316
1⤵
- Program crash
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
22KB

MD5
dd292bafdc9b00c08577a50eeabad7ce

SHA1
bad94da8dacd12456744bae713992fc3165bbd85

SHA256
be03cb55f1256653d955e7808bdf04bc2d14bce759ea0f62345830dcf695f663

SHA512
73eaf00df46b6154c495652bf32800c83451bb47e5ea169c28d0e024767639e8a7f2415f7b220036ca981eafd69002a730bf8d117d7d58aec5dc3ee8e23b3a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
32KB

MD5
fa2de0b3b34673d789a2baa61eaabf96

SHA1
e0cf26238deeb1a2743c02168fb14545a70519cd

SHA256
d908918bc3ae6f035d9d82ef800810bd2246cfa4042ddf6e2535bacaa0b473c4

SHA512
d7b58cc03a717af19d032009ccb1b2a5da5ad0e17e94484da47b76f611f64d225ec0393f29bbad7f244495d9cbe9cc061b5753f528d8a037d5f9157a77115270

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
81KB

MD5
7e53183ef57e12096f5397b08c6f78d9

SHA1
109d9ae98558a3096b4a112cd2cedc65b2d13165

SHA256
ae16b0f3523391ad50c9ed8fdae94167822a4d0c85c670537315c65640ead7cc

SHA512
d45052020a856f12fab7869c9251d2980ef61025c16fbd78f25c6d48d2097ad939abcdbcac6b86f2f565472b708f67b2c9445c86147902c38a4f22d6c666deff

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
68KB

MD5
61f7e9798ebd6cdaf1d35355ec824ab1

SHA1
8cb635630c264355553102b0fafd468cd7166854

SHA256
6d40c5edea776c47edd581a1d740d761f179b92fe498e2499cb774e04af84ab4

SHA512
c7311abaa1035e1f3d9081347838193acc1997092d6158f669c25b5766d307161bee5080cd3f8c18b0ca775f24ead22c9ebd1001db314b112d062d50772e65db

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe

Filesize
96KB

MD5
f6277d6c995d16d93a6f55da88307f2b

SHA1
f3f65e83f4ddd32e5f82fcafd158058fd599395d

SHA256
9fa2421f6a5aa4afc80700a5d313966dfec6a3b320b050db48edfa3ae1799521

SHA512
6a987c8e3090e4d03fc712d4af2bc0982a4cc70f204c8f3247dda090c7613a1400f7380d5062a6d700b02226f417592073fb5bb3b8777f3957444c292feec4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
5fc5f58d5774723fd9e2ed8caba69604

SHA1
9aed0952d2343c9b70712b5ee5cd0a310b644cc3

SHA256
275fdeaa3c9cb74b7ddb47ac5febbe526dfc3b017e74d64c98701dce18a50bbd

SHA512
7339b697d6bd96cabd21ae13dda33da615065d6856f82d569a28dc8477962a2904d3a6e6c04929b815f0dab7ea59f17baf79016b6c7a7c5f4bd45c1339b8fad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
137KB

MD5
c7967ad4202a48d8c6123705107e25a3

SHA1
8f255d355d3fc94dabc31ec1853487296d813615

SHA256
568c912b99ee67a2299c1216f9e6a892629852dfbe9a55d8ac8222e7d08767d9

SHA512
35a2bc71a20af9c3665946c75ceadc2e0eecbfdf451b207f0105564994f6e699f9a6aa1ad4eefdcf5b652d058058814452a8b47a58efe830e69dd50d93d60e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
114KB

MD5
855b773fb070b45bb476b0c187cdce58

SHA1
86421694abd7c1b8f87c0ab6929415e7c99d4950

SHA256
10c7341b482e548833be839e0302a59b55fbfee4782df593fca352ad161cf027

SHA512
33bd647918b2bfe130820e61d26efe24134e9b43754a33d7a27779168221edc4f5c29090d4950bc9fd50a971a0b7d0df47c273d0d722aa8550e85190aa6a2330

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
113KB

MD5
da45d5a2c37d284063efefd57c6ee472

SHA1
03a704f03406eeda6cba77be05fe54f6e940d6a7

SHA256
64274bb6c4d95d08f6a718a74814b69ef9dc7da3fe3d6961465a57c5354d219c

SHA512
b8fefeea0ef502f83bbc8ea45d862fdbc2b61b40945233ab02c6a35812ba1823321416da805c24e05b4ab6597354f28533bfe9860b162cfb0262da3219b54f22

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
76KB

MD5
27ac3f5ea65b609db79af7e9dda15b67

SHA1
2dbc061a7b807c6f197c41cad339e15f95cb9001

SHA256
bdb1fae646ad3c9bf01e1fae2601bccabda7906e6d81aed5724ce695c53442fc

SHA512
898ad05834af7068fbb189626e79d679dcf62f288a4cff464e307e6ac62f767131323f97503d3aba40cce117b5c11677e1f4af334b924163a43c861e58b2d7ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
56KB

MD5
91df97ceeb480cdc3aa5c5bb23305911

SHA1
4691e2dc232ca9bf2426dd3ed5024784f214800d

SHA256
5c07032cb5c60dd3945a436b11d9a2c8c2640efe653399be0a663907847591c9

SHA512
2cda4e3546004055ef1d95a324a9236ca2c07bf020cc62c9ce7ad04da1ff0bb3a930e1c12fced59b77497032cbef7011f2e0bb4b6f1fedf56cd6303291e83d69

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
19KB

MD5
d95ea75617cb200bc2eb077e65f847b6

SHA1
3a6e682664fc579b5860b0b97b35055109944196

SHA256
63f0369e81941cd1837b4b6871f119c63457e634accea9b3556cab1bfb0bafb5

SHA512
bd9e8609b3f6026b28348e6ab16d7034bdeb27942b17dcec2ce78bee766c008de41cfbc8ea3f583e8f2f836473a1564f3753e751f604fd70e9be03b9d17089e5

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
96KB

MD5
b9d6cfac50d93388f827b0c8673d78e6

SHA1
bc208271d21b2a15d04c4a0320d797b132fadb45

SHA256
8139ad587b5ef9cae728368ca608298b5fcf498718e4b33ceacda118334f9da3

SHA512
ca50c4eb9b15fe3348fbdbfc5b04a93ce4360d343e30a94afb4854e922609321c18c06b91b773b68c7085a207221963630c80512359044d90b87b6cf37abd820

Download Submit
C:\Users\Admin\AppData\Roaming\tmp.exe

Filesize
57KB

MD5
76dfd335d2900858308c68da71c609d8

SHA1
86476caf8cbd2e9241a605cd84ddf1825658cb5c

SHA256
aed38ce2f57b4df2787842eb648a97f21efaa85d35d410693f9e42bce4b6abdc

SHA512
ee3db8bd522ecb97e0827b74ffb9108a08032e67678f9a66225dc04d4e82c153f2de9b76a00e13954cd9b2891638543f4997a0a1589b940c2fc0de58cdb9926e

Download Submit
memory/848-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/848-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/848-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/860-6-0x0000000000690000-0x000000000077E000-memory.dmp

Filesize
952KB

Download
memory/860-66-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/860-64-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/860-8-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/860-9-0x0000000005260000-0x00000000052E6000-memory.dmp

Filesize
536KB

Download
memory/860-5-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/860-7-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/1960-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1960-63-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1960-67-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2568-38-0x0000000000600000-0x0000000000633000-memory.dmp

Filesize
204KB

Download
memory/2568-29-0x0000000000600000-0x0000000000633000-memory.dmp

Filesize
204KB

Download
memory/2568-33-0x0000000000600000-0x0000000000633000-memory.dmp

Filesize
204KB

Download
memory/4400-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4700-22-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4700-24-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4700-21-0x0000000000C50000-0x0000000000CAC000-memory.dmp

Filesize
368KB

Download
memory/4700-69-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4700-23-0x00000000054F0000-0x0000000005514000-memory.dmp

Filesize
144KB

Download