azorult | 682078b3572553335e5a6410d5e0e3f2b6b1dbd2d32a57da31f63f1f604cbe6c

General

Target

a5ee020839ba46412eb4e55719c397c2.exe
Size

3.1MB
MD5

a5ee020839ba46412eb4e55719c397c2
SHA1

7c5e2dfbdcc13984374ee8adee0966357c90f559
SHA256

682078b3572553335e5a6410d5e0e3f2b6b1dbd2d32a57da31f63f1f604cbe6c
SHA512

258c02451079d97b1c24fa7ba35f4b9cdd253f2bf508b53d42314f1d13cc89239fad8819d8009a992c71a71585670fae4e5238eb17a982e5cde588f6f247eaf2
SSDEEP

98304:ddNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8a:ddNB4ianUstYuUR2CSHsVP8a

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1824-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1824-34-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/1824-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 5 IoCs

Processes:

test.exeFile.exesvhost.exetmp.exesvhost.exe

pid process

2676 test.exe
232 File.exe
1824 svhost.exe
4696 tmp.exe
1204 svhost.exe

pid	process
2676	test.exe
232	File.exe
1824	svhost.exe
4696	tmp.exe
1204	svhost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3120-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/3120-59-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/3120-65-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

test.exeFile.exe

description pid process target process

PID 2676 set thread context of 1824 2676 test.exe svhost.exe
PID 232 set thread context of 1204 232 File.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2676 set thread context of 1824	2676	test.exe	svhost.exe
PID 232 set thread context of 1204	232	File.exe	svhost.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

test.exeFile.exe

pid process

2676 test.exe
232 File.exe
2676 test.exe
2676 test.exe
2676 test.exe
232 File.exe
232 File.exe
2676 test.exe
232 File.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 2676 test.exe
Token: SeDebugPrivilege 232 File.exe

pid	process
2676	test.exe
232	File.exe
2676	test.exe
2676	test.exe
2676	test.exe
232	File.exe
232	File.exe
2676	test.exe
232	File.exe

description	pid	process
Token: SeDebugPrivilege	2676	test.exe
Token: SeDebugPrivilege	232	File.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

a5ee020839ba46412eb4e55719c397c2.execmd.exetest.exeFile.execmd.execmd.exe

description	pid	process	target process
PID 3120 wrote to memory of 2456	3120	a5ee020839ba46412eb4e55719c397c2.exe	cmd.exe
PID 3120 wrote to memory of 2456	3120	a5ee020839ba46412eb4e55719c397c2.exe	cmd.exe
PID 3120 wrote to memory of 2456	3120	a5ee020839ba46412eb4e55719c397c2.exe	cmd.exe
PID 2456 wrote to memory of 2676	2456	cmd.exe	test.exe
PID 2456 wrote to memory of 2676	2456	cmd.exe	test.exe
PID 2456 wrote to memory of 2676	2456	cmd.exe	test.exe
PID 2676 wrote to memory of 232	2676	test.exe	File.exe
PID 2676 wrote to memory of 232	2676	test.exe	File.exe
PID 2676 wrote to memory of 232	2676	test.exe	File.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 2676 wrote to memory of 1824	2676	test.exe	svhost.exe
PID 232 wrote to memory of 4696	232	File.exe	tmp.exe
PID 232 wrote to memory of 4696	232	File.exe	tmp.exe
PID 232 wrote to memory of 4696	232	File.exe	tmp.exe
PID 2676 wrote to memory of 4392	2676	test.exe	cmd.exe
PID 2676 wrote to memory of 4392	2676	test.exe	cmd.exe
PID 2676 wrote to memory of 4392	2676	test.exe	cmd.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 232 wrote to memory of 1204	232	File.exe	svhost.exe
PID 2676 wrote to memory of 5076	2676	test.exe	cmd.exe
PID 2676 wrote to memory of 5076	2676	test.exe	cmd.exe
PID 2676 wrote to memory of 5076	2676	test.exe	cmd.exe
PID 5076 wrote to memory of 4180	5076	cmd.exe	reg.exe
PID 5076 wrote to memory of 4180	5076	cmd.exe	reg.exe
PID 5076 wrote to memory of 4180	5076	cmd.exe	reg.exe
PID 2676 wrote to memory of 4604	2676	test.exe	cmd.exe
PID 2676 wrote to memory of 4604	2676	test.exe	cmd.exe
PID 2676 wrote to memory of 4604	2676	test.exe	cmd.exe
PID 232 wrote to memory of 396	232	File.exe	cmd.exe
PID 232 wrote to memory of 396	232	File.exe	cmd.exe
PID 232 wrote to memory of 396	232	File.exe	cmd.exe
PID 232 wrote to memory of 4996	232	File.exe	cmd.exe
PID 232 wrote to memory of 4996	232	File.exe	cmd.exe
PID 232 wrote to memory of 4996	232	File.exe	cmd.exe
PID 4996 wrote to memory of 3732	4996	cmd.exe	reg.exe
PID 4996 wrote to memory of 3732	4996	cmd.exe	reg.exe
PID 4996 wrote to memory of 3732	4996	cmd.exe	reg.exe
PID 232 wrote to memory of 2668	232	File.exe	cmd.exe
PID 232 wrote to memory of 2668	232	File.exe	cmd.exe
PID 232 wrote to memory of 2668	232	File.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a5ee020839ba46412eb4e55719c397c2.exe
"C:\Users\Admin\AppData\Local\Temp\a5ee020839ba46412eb4e55719c397c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:232
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        NTFS ADS
        
        PID:2668
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      NTFS ADS
      PID:4604
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:4392
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:1824

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:3732

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
344KB

MD5
ce9a7a4c4628d28061a1434311c8607b

SHA1
52b7e5bf62aaeeee8b2c72f2fe1dbf78eab35c6c

SHA256
e401085f336b1d48a85fbb672bca41e7840a313cba90074064dffd95557b32c5

SHA512
8e7ccd99c2c971e69da0ac40bd89318d529baba81b1f392afa52c174a60450ec47e8d36bb3e49227ed631b1bb2a8c167c8740275d0cb383634fc93e334ee6d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
382KB

MD5
5e3647b8f7bddb2e4662d46d966aeb63

SHA1
59ac3f2585fcf6b30604e08ea8935f544df61082

SHA256
c84e753ed7dcb9677060462d24928781fb614770d27c3bd43da15a53066df1d6

SHA512
ee9e226f8d8dc30990dc66ff53c7d8fb7c55588c460a37accff1d67d4809abf4a7ff00e0f727dd90e2efd2d646b7026007b0b6c7bdd7e776bc9617b3710a4cae

Download Submit
memory/232-22-0x0000000004A90000-0x0000000004AB4000-memory.dmp

Filesize
144KB

Download
memory/232-67-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/232-62-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/232-21-0x0000000000200000-0x000000000025C000-memory.dmp

Filesize
368KB

Download
memory/232-24-0x0000000004AC0000-0x0000000004AD0000-memory.dmp

Filesize
64KB

Download
memory/232-23-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/1204-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1204-44-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1204-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1824-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-61-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/2676-8-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/2676-7-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

Filesize
624KB

Download
memory/2676-60-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2676-9-0x0000000004CC0000-0x0000000004D46000-memory.dmp

Filesize
536KB

Download
memory/2676-5-0x0000000000230000-0x000000000031E000-memory.dmp

Filesize
952KB

Download
memory/2676-6-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/2676-64-0x0000000074E40000-0x00000000755F0000-memory.dmp

Filesize
7.7MB

Download
memory/3120-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/3120-59-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/3120-65-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/4696-58-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads