azorult | 8b80621cf6ee6cfef0091af3fd0f2c39a92f0c4efe2d6ec9dc5986d519628d07

General

Target

629151c519ea438d8c8f1123eb71e751.exe
Size

3.1MB
MD5

629151c519ea438d8c8f1123eb71e751
SHA1

5b6c259947cce3501afb81393890157f1d1fb87f
SHA256

8b80621cf6ee6cfef0091af3fd0f2c39a92f0c4efe2d6ec9dc5986d519628d07
SHA512

8f592cedbc824a6820c0f37de614fd0f00492bcedd20468e5af00e91f3f06fbe0016421aa87a3f7d68512413226f1ae5e5b82ba4feae19f0a6a0b9f5a296be88
SSDEEP

98304:XdNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8x:XdNB4ianUstYuUR2CSHsVP8x

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

netwire

C2

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/740-30-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/740-31-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/740-27-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 1 IoCs

pid	Process
1396	test.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1800-0-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/1800-62-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx
behavioral2/memory/1800-66-0x0000000000400000-0x0000000000B9D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
3124	4056	WerFault.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1396	test.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	test.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2088	1800	629151c519ea438d8c8f1123eb71e751.exe	19
PID 1800 wrote to memory of 2088	1800	629151c519ea438d8c8f1123eb71e751.exe	19
PID 1800 wrote to memory of 2088	1800	629151c519ea438d8c8f1123eb71e751.exe	19
PID 2088 wrote to memory of 1396	2088	cmd.exe	20
PID 2088 wrote to memory of 1396	2088	cmd.exe	20
PID 2088 wrote to memory of 1396	2088	cmd.exe	20

C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe
"C:\Users\Admin\AppData\Local\Temp\629151c519ea438d8c8f1123eb71e751.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        
        PID:3484
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        
        PID:4056
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        
        PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      PID:4124
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4056 -ip 4056
1⤵
PID:4696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 360
1⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:3728

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/740-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-7-0x00000000052A0000-0x000000000533C000-memory.dmp

Filesize
624KB

Download
memory/1396-6-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1396-65-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1396-63-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/1396-8-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/1396-5-0x0000000000800000-0x00000000008EE000-memory.dmp

Filesize
952KB

Download
memory/1396-9-0x00000000053A0000-0x0000000005426000-memory.dmp

Filesize
536KB

Download
memory/1800-0-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1800-66-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/1800-62-0x0000000000400000-0x0000000000B9D000-memory.dmp

Filesize
7.6MB

Download
memory/2000-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4056-47-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download
memory/4056-45-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download
memory/4056-50-0x0000000000740000-0x0000000000760000-memory.dmp

Filesize
128KB

Download
memory/4964-21-0x00000000007F0000-0x000000000084C000-memory.dmp

Filesize
368KB

Download
memory/4964-22-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-24-0x0000000005080000-0x00000000050A4000-memory.dmp

Filesize
144KB

Download
memory/4964-68-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/4964-23-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads