azorult | b77d2a8495358e831a2060b1dadf1c74e056b489970f8a3e0fecf48693368dce

General

Target

c80898f305c03178e6fb02cf47377dc3.exe
Size

3.1MB
MD5

c80898f305c03178e6fb02cf47377dc3
SHA1

74e0a04ef6d73cfc777f2e92e56ff82a75f1ff25
SHA256

b77d2a8495358e831a2060b1dadf1c74e056b489970f8a3e0fecf48693368dce
SHA512

a7b1cd1c0bc81eaeca2174a0b3caf6de193874506fe2a3da89a15c3376bf31cb3d36b17103b3aed25c10fb7ea8b9683990aa0b45386382124a4878dc7a68baea
SSDEEP

98304:odNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8I:odNB4ianUstYuUR2CSHsVP8I

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3516-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3516-31-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/3516-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

test.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 5 IoCs

Processes:

test.exeFile.exesvhost.exetmp.exesvhost.exe

pid process

1712 test.exe
60 File.exe
3516 svhost.exe
3144 tmp.exe
4980 svhost.exe

pid	process
1712	test.exe
60	File.exe
3516	svhost.exe
3144	tmp.exe
4980	svhost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1276-0-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/1276-60-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral2/memory/1276-66-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

Processes:

test.exeFile.exe

description pid process target process

PID 1712 set thread context of 3516 1712 test.exe svhost.exe
PID 60 set thread context of 4980 60 File.exe svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

test.exeFile.exe

pid process

1712 test.exe
60 File.exe
60 File.exe
1712 test.exe
1712 test.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

test.exeFile.exe

description pid process

Token: SeDebugPrivilege 1712 test.exe
Token: SeDebugPrivilege 60 File.exe

description	pid	process	target process
PID 1712 set thread context of 3516	1712	test.exe	svhost.exe
PID 60 set thread context of 4980	60	File.exe	svhost.exe

pid	process
1712	test.exe
60	File.exe
60	File.exe
1712	test.exe
1712	test.exe

description	pid	process
Token: SeDebugPrivilege	1712	test.exe
Token: SeDebugPrivilege	60	File.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

c80898f305c03178e6fb02cf47377dc3.execmd.exetest.exeFile.execmd.exe

description	pid	process	target process
PID 1276 wrote to memory of 3640	1276	c80898f305c03178e6fb02cf47377dc3.exe	cmd.exe
PID 1276 wrote to memory of 3640	1276	c80898f305c03178e6fb02cf47377dc3.exe	cmd.exe
PID 1276 wrote to memory of 3640	1276	c80898f305c03178e6fb02cf47377dc3.exe	cmd.exe
PID 3640 wrote to memory of 1712	3640	cmd.exe	test.exe
PID 3640 wrote to memory of 1712	3640	cmd.exe	test.exe
PID 3640 wrote to memory of 1712	3640	cmd.exe	test.exe
PID 1712 wrote to memory of 60	1712	test.exe	File.exe
PID 1712 wrote to memory of 60	1712	test.exe	File.exe
PID 1712 wrote to memory of 60	1712	test.exe	File.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 1712 wrote to memory of 3516	1712	test.exe	svhost.exe
PID 60 wrote to memory of 3144	60	File.exe	tmp.exe
PID 60 wrote to memory of 3144	60	File.exe	tmp.exe
PID 60 wrote to memory of 3144	60	File.exe	tmp.exe
PID 1712 wrote to memory of 2760	1712	test.exe	cmd.exe
PID 1712 wrote to memory of 2760	1712	test.exe	cmd.exe
PID 1712 wrote to memory of 2760	1712	test.exe	cmd.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 60 wrote to memory of 4980	60	File.exe	svhost.exe
PID 1712 wrote to memory of 4640	1712	test.exe	cmd.exe
PID 1712 wrote to memory of 4640	1712	test.exe	cmd.exe
PID 1712 wrote to memory of 4640	1712	test.exe	cmd.exe
PID 4640 wrote to memory of 808	4640	cmd.exe	reg.exe
PID 4640 wrote to memory of 808	4640	cmd.exe	reg.exe
PID 4640 wrote to memory of 808	4640	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe
"C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3640

C:\Users\Admin\AppData\Local\Temp\test.exe
test.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
    3⤵
    PID:4344
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
    3⤵
    - Executes dropped EXE
    PID:4980
- - C:\Users\Admin\AppData\Roaming\tmp.exe
    "C:\Users\Admin\AppData\Roaming\tmp.exe"
    3⤵
    - Executes dropped EXE
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
  2⤵
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  PID:3928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  PID:3516

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:3852

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
93KB

MD5
07a29634d6916f613755b92130133724

SHA1
65a717b492ec5d8891d139da028afb580a0d7a21

SHA256
88db0d16d92adb8facdd9aead9599097e8355b48a733e325f7a4c6ef1d8205ad

SHA512
47d2d904364a189efbd33701f6c7dc231b07e481d0e69a3c6bc33f3321bb08df6d18a4954a89fa6117d2fa5831c7f80b6e3353217689185c1bfe5ef8dd266bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-22-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/60-68-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/60-23-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/60-24-0x0000000000DF0000-0x0000000000E14000-memory.dmp

Filesize
144KB

Download
memory/60-21-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/1276-0-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1276-60-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1276-66-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1712-5-0x0000000000190000-0x000000000027E000-memory.dmp

Filesize
952KB

Download
memory/1712-9-0x0000000004C10000-0x0000000004C96000-memory.dmp

Filesize
536KB

Download
memory/1712-8-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1712-7-0x0000000004CA0000-0x0000000004D3C000-memory.dmp

Filesize
624KB

Download
memory/1712-64-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1712-6-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1712-62-0x0000000004BF0000-0x0000000004C00000-memory.dmp

Filesize
64KB

Download
memory/1712-61-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/3144-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3516-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-43-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4980-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4980-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads