Overview

overview

10

Static

static

7

eba735a9be...68.exe

windows7-x64

10

eba735a9be...68.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2023, 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eba735a9bee06932dd6ea4a0d7b67e68.exe

  • Size

    3.1MB

  • MD5

    eba735a9bee06932dd6ea4a0d7b67e68

  • SHA1

    68fefa0d7ad14b5aead88ff247221a17a673e519

  • SHA256

    38fbf0cd70656bc2ef5e2d10a0f44302d7e14b2de1dfb4b7fb4f64aa92fcd754

  • SHA512

    e6d6796abc12d0c4f9ac10209394447800f7263b3a7e986174c24885b6aa1100035c3b0254e21e46fd2ce6e8f8aebcab2131c04fbd57ea3b3d582b6ecbda1b11

  • SSDEEP

    98304:kdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8g:kdNB4ianUstYuUR2CSHsVP8g

Score
10/10
azorultnetwirebotnetinfostealerratstealertrojanupx

Malware Config

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    May-B

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    false

  • offline_keylogger

    true

  • password

    Password

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • NetWire RAT payload 8 IoCs
    rat
  • Netwire

    Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    botnetstealernetwire
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\File.exe
    "C:\Users\Admin\AppData\Local\Temp\File.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      2⤵
      • NTFS ADS
      PID:1680
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      2⤵
        PID:764
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        2⤵
          PID:1460
        • C:\Users\Admin\AppData\Local\Temp\svhost.exe
          "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
          2⤵
          • Executes dropped EXE
          PID:2688
        • C:\Users\Admin\AppData\Roaming\tmp.exe
          "C:\Users\Admin\AppData\Roaming\tmp.exe"
          2⤵
          • Executes dropped EXE
          PID:2776
      • C:\Users\Admin\AppData\Local\Temp\test.exe
        test.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
          2⤵
          • NTFS ADS
          PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2012
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
          2⤵
            PID:2964
          • C:\Users\Admin\AppData\Local\Temp\svhost.exe
            "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
            2⤵
            • Executes dropped EXE
            PID:2772
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c test.exe
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2504
        • C:\Users\Admin\AppData\Local\Temp\eba735a9bee06932dd6ea4a0d7b67e68.exe
          "C:\Users\Admin\AppData\Local\Temp\eba735a9bee06932dd6ea4a0d7b67e68.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2512
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
          1⤵
            PID:1648
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
            1⤵
              PID:1676

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\test.exe
              Filesize

              381KB

              MD5

              68dfa5c84e416f6eb6a817da77941d22

              SHA1

              16ceb5526284556895547b5f222f21f542ebd5da

              SHA256

              f70a52412d74287142cdc9e58c5fb08ccf2874a7197cd5b4e1a4bd2685434412

              SHA512

              6bae48b7a00b4c2bb0eed2a37be9f6a809e80b237b9cd28f1d445537816d19df008744de2af8f0246e65e0e23f85241d5f4bda8270de6a7ecb622954643fe465

              Download Submit

            • \Users\Admin\AppData\Local\Temp\test.exe
              Filesize

              93KB

              MD5

              07a29634d6916f613755b92130133724

              SHA1

              65a717b492ec5d8891d139da028afb580a0d7a21

              SHA256

              88db0d16d92adb8facdd9aead9599097e8355b48a733e325f7a4c6ef1d8205ad

              SHA512

              47d2d904364a189efbd33701f6c7dc231b07e481d0e69a3c6bc33f3321bb08df6d18a4954a89fa6117d2fa5831c7f80b6e3353217689185c1bfe5ef8dd266bd5

              Download Submit

            • memory/2104-5-0x00000000010E0000-0x00000000011CE000-memory.dmp

              Filesize

              952KB

              Download

            • memory/2104-6-0x0000000074BA0000-0x000000007528E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2104-7-0x0000000004A40000-0x0000000004A80000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2104-8-0x0000000001050000-0x00000000010D6000-memory.dmp

              Filesize

              536KB

              Download

            • memory/2104-77-0x0000000074BA0000-0x000000007528E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2104-76-0x0000000004A40000-0x0000000004A80000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2104-75-0x0000000074BA0000-0x000000007528E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2512-79-0x0000000000400000-0x0000000000B9D000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/2512-1-0x0000000000400000-0x0000000000B9D000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/2512-74-0x0000000000400000-0x0000000000B9D000-memory.dmp

              Filesize

              7.6MB

              Download

            • memory/2688-51-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-50-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-81-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-58-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-56-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-53-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-46-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-48-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2688-49-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2716-16-0x0000000000800000-0x000000000085C000-memory.dmp

              Filesize

              368KB

              Download

            • memory/2716-78-0x0000000074BA0000-0x000000007528E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2716-17-0x0000000074BA0000-0x000000007528E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2716-19-0x00000000003D0000-0x00000000003F4000-memory.dmp

              Filesize

              144KB

              Download

            • memory/2716-18-0x00000000007C0000-0x0000000000800000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2772-31-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-27-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-26-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-25-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-24-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-32-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-30-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-57-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-41-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-47-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2772-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2772-80-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2776-71-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download