azorult | b77d2a8495358e831a2060b1dadf1c74e056b489970f8a3e0fecf48693368dce

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c80898f305c03178e6fb02cf47377dc3.exe
Size

3.1MB
MD5

c80898f305c03178e6fb02cf47377dc3
SHA1

74e0a04ef6d73cfc777f2e92e56ff82a75f1ff25
SHA256

b77d2a8495358e831a2060b1dadf1c74e056b489970f8a3e0fecf48693368dce
SHA512

a7b1cd1c0bc81eaeca2174a0b3caf6de193874506fe2a3da89a15c3376bf31cb3d36b17103b3aed25c10fb7ea8b9683990aa0b45386382124a4878dc7a68baea
SSDEEP

98304:odNIA2b8lIpIta0Icq+KPtYulORjiCSHwdlPtqM7RcS4FIKU21IEfrNdSf8I:odNB4ianUstYuUR2CSHsVP8I

Score

10^/10

azorult netwire botnet infostealer rat stealer trojan upx

Malware Config

Extracted

Family

azorult

https://gemateknindoperkasa.co.id/imag/index.php

Extracted

Family

netwire

174.127.99.159:7882

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
May-B
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2432-50-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2432-54-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2432-58-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2432-61-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2432-67-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2432-72-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2432-74-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2432-98-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Executes dropped EXE 5 IoCs

pid	Process
2292	test.exe
2536	File.exe
2864	tmp.exe
2416	svhost.exe
2432	svhost.exe

Loads dropped DLL 8 IoCs

pid	Process
3004	cmd.exe
2292	test.exe
2536	File.exe
2536	File.exe
2536	File.exe
2292	test.exe
2292	test.exe
2536	File.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1768-1-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral1/memory/1768-73-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx
behavioral1/memory/1768-97-0x0000000000400000-0x0000000000B9E000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2416	2536	File.exe	33
PID 2292 set thread context of 2432	2292	test.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2292	test.exe
2536	File.exe
2292	test.exe
2536	File.exe
2292	test.exe
2536	File.exe
2292	test.exe
2536	File.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	test.exe
Token: SeDebugPrivilege	2536	File.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 3004	1768	c80898f305c03178e6fb02cf47377dc3.exe	29
PID 1768 wrote to memory of 3004	1768	c80898f305c03178e6fb02cf47377dc3.exe	29
PID 1768 wrote to memory of 3004	1768	c80898f305c03178e6fb02cf47377dc3.exe	29
PID 1768 wrote to memory of 3004	1768	c80898f305c03178e6fb02cf47377dc3.exe	29
PID 3004 wrote to memory of 2292	3004	cmd.exe	30
PID 3004 wrote to memory of 2292	3004	cmd.exe	30
PID 3004 wrote to memory of 2292	3004	cmd.exe	30
PID 3004 wrote to memory of 2292	3004	cmd.exe	30
PID 3004 wrote to memory of 2292	3004	cmd.exe	30
PID 3004 wrote to memory of 2292	3004	cmd.exe	30
PID 3004 wrote to memory of 2292	3004	cmd.exe	30
PID 2292 wrote to memory of 2536	2292	test.exe	31
PID 2292 wrote to memory of 2536	2292	test.exe	31
PID 2292 wrote to memory of 2536	2292	test.exe	31
PID 2292 wrote to memory of 2536	2292	test.exe	31
PID 2292 wrote to memory of 2536	2292	test.exe	31
PID 2292 wrote to memory of 2536	2292	test.exe	31
PID 2292 wrote to memory of 2536	2292	test.exe	31
PID 2536 wrote to memory of 2864	2536	File.exe	32
PID 2536 wrote to memory of 2864	2536	File.exe	32
PID 2536 wrote to memory of 2864	2536	File.exe	32
PID 2536 wrote to memory of 2864	2536	File.exe	32
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2536 wrote to memory of 2416	2536	File.exe	33
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2292 wrote to memory of 2432	2292	test.exe	34
PID 2292 wrote to memory of 2936	2292	test.exe	36
PID 2292 wrote to memory of 2936	2292	test.exe	36
PID 2292 wrote to memory of 2936	2292	test.exe	36
PID 2292 wrote to memory of 2936	2292	test.exe	36
PID 2536 wrote to memory of 1920	2536	File.exe	37
PID 2536 wrote to memory of 1920	2536	File.exe	37
PID 2536 wrote to memory of 1920	2536	File.exe	37
PID 2536 wrote to memory of 1920	2536	File.exe	37
PID 2292 wrote to memory of 1968	2292	test.exe	40
PID 2292 wrote to memory of 1968	2292	test.exe	40
PID 2292 wrote to memory of 1968	2292	test.exe	40
PID 2292 wrote to memory of 1968	2292	test.exe	40
PID 1968 wrote to memory of 568	1968	cmd.exe	43
PID 1968 wrote to memory of 568	1968	cmd.exe	43
PID 1968 wrote to memory of 568	1968	cmd.exe	43
PID 1968 wrote to memory of 568	1968	cmd.exe	43
PID 2536 wrote to memory of 528	2536	File.exe	42
PID 2536 wrote to memory of 528	2536	File.exe	42
PID 2536 wrote to memory of 528	2536	File.exe	42
PID 2536 wrote to memory of 528	2536	File.exe	42

C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe
"C:\Users\Admin\AppData\Local\Temp\c80898f305c03178e6fb02cf47377dc3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c test.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    test.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Users\Admin\AppData\Roaming\tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\tmp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:2416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
        5⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:528
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        6⤵
        
        PID:640
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
        5⤵
        NTFS ADS
        
        PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\svhost.exe
      "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
      4⤵
      Executes dropped EXE
      PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/test.exe" "%temp%\FolderN\name.exe" /Y
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
        5⤵
        
        PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
      4⤵
      NTFS ADS
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
342KB

MD5
37c82e15058e2f8f5e9525b956e6440d

SHA1
3bf20d00bd7a7943c4066d534f5b276cac5ae39f

SHA256
80c4716318f874881151c78c4dce9a0a01be4294834f33ee7f12a8a34bb8b2b7

SHA512
5c9c37a13cac634771ae18736845b8e7c1a33fd8c6c9ae564f6863b5033a68565f0fd3da555d15870bbc547cc549153c096c44f2d7ced828baffdcfa8641da0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
947B

MD5
78c85203ddeba64d388528c5e4e20975

SHA1
11738d4396bb63f94147d7e265577ecbd2a7fd75

SHA256
e71a08c5282dcbe120739c84ea188a9fbdcb772801c78222b0bf44d56bd7a3ad

SHA512
bb35cd6a3b847a49e0cbba8cc356a447753159207866186b6ec62d69fe6a382c33a2999aeadabfaa3a48e189b088b9f01d9cf8c1bd170386b9ea577ea8774d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.4MB

MD5
dec3e3277d05a3b54d98116075960914

SHA1
c7c01eec2bd223463adfa28ba3572cc4c7845335

SHA256
39dfd654463d76d1ab2f1746a47f0192c92155269f605055cd51d3d03d9e8f4d

SHA512
f73c5a731c77e012b8458a87f20a831cadd78fdf5c385270af447904d34dda41f7d0fc2aa17f41f6bc38b7bddd37fac9d875bc394bea8df62906f95a5a784647

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
2.5MB

MD5
1a163d2c1681fa9fc6559e82f48c8b2f

SHA1
f0b32efa65823a68d92f634579f1ba1c9f1b69e0

SHA256
ef4c9879ed37cad30a1663bbb4f0468f9a9a7e91a249b6e6fbddf480c962d956

SHA512
ec823e782a6dee4e7e62bb1715e9a81e4b899b6b8f11ae45b093ae279256341e379bdc835116f4eb5735dc385d448c122586ae836b4ed23ae3fb127621df6986

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
931KB

MD5
836cda1d8a9718485cc9f9653530c2d9

SHA1
fca85ff9aa624547d9a315962d82388c300edac1

SHA256
d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72

SHA512
07ca078d79f622706d08a534f6b5e2c896152fb0d0e452781fa6be5dc90028fdf074b3b78acac438f2acf5b3f5522e70afb7db4551874a3083860213e2790481

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
2.6MB

MD5
1f7bccc57d21a4bfeddaafe514cfd74d

SHA1
4dab09179a12468cb1757cb7ca26e06d616b0a8d

SHA256
d4cb7377e8275ed47e499ab0d7ee47167829a5931ba41aa5790593595a7e1061

SHA512
9e639c777dc2d456f038c14efb7cbc871ceb1d7380a74d18fb722a28901357ccb1166c0d883562280e030f0252004ca13a1371ea480d0523c435cd0a6d9f43d8

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.4MB

MD5
03100217c5e2fe5047fa0c5b04aaa953

SHA1
fb4157a0320be5aa6df9b075e982953dd20a2f93

SHA256
ef358f8b2464d274e166ca9c26a2a05c112c4dd4db1b9b8de990ade17bc03302

SHA512
1c948671004432e6f7ee0016865e9e7994037f9c8c021b6a804351b3a9793c575d8a74e1d55739cceb95919a75f5a1c9924572b77ca5e24b69c5452b8f2b8656

Download Submit
\Users\Admin\AppData\Roaming\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
memory/1768-73-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1768-97-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/1768-1-0x0000000000400000-0x0000000000B9E000-memory.dmp

Filesize
7.6MB

Download
memory/2292-7-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/2292-94-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-92-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/2292-8-0x00000000041F0000-0x0000000004276000-memory.dmp

Filesize
536KB

Download
memory/2292-90-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2292-5-0x0000000000100000-0x00000000001EE000-memory.dmp

Filesize
952KB

Download
memory/2292-6-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2416-45-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-37-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-60-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2416-57-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-65-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2432-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-16-0x0000000000AE0000-0x0000000000B3C000-memory.dmp

Filesize
368KB

Download
memory/2536-93-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-17-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-95-0x0000000073CF0000-0x00000000743DE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-18-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2536-19-0x0000000000500000-0x0000000000524000-memory.dmp

Filesize
144KB

Download
memory/2864-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download