azorult | 371c309bc8395db6872fa594924b8cfd8a43fc573e20b5b447da709415452534

General

Target

march order lists-xlxs.exe
Size

941KB
MD5

fd76f57eaf3745563f1bc04c48b55576
SHA1

81654506e9ac750e0377d7c4a8387078bd0308cf
SHA256

4c70825b33469b490665bf6567dbce4df3f09a223f8c762090a355cee0a6b042
SHA512

05512e3bc1ad14f0f93861c9d82886b132785401d1bedcffe0f70d429f0be752053da3e17279f3e432dfa944c4f52ef5e0b263b98d6726da0b5d46ee3dcb118f
SSDEEP

12288:AG7tVVlLGUr0DVEX1UsfqdsPjbNdmBixEHqa4sQbR8W6szcfG6JS+9xJ1NyC:LdsEFaoMpQd8W3zqG6g+3J5

Score

10^/10

azorult netwire botnet defense_evasion discovery infostealer rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

185.244.30.245:3443

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
FEB9-1
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

azorult

C2

https://gemateknindoperkasa.co.id/imag/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

NetWire RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2460-35-0x0000000000400000-0x000000000042B000-memory.dmp	netwire
behavioral2/memory/2460-37-0x0000000000400000-0x000000000042B000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

march order lists-xlxs.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	march order lists-xlxs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	File.exe

Executes dropped EXE 4 IoCs

Processes:

File.exesvhost.exetmp.exesvhost.exe

pid process

116 File.exe
2460 svhost.exe
2540 tmp.exe
1876 svhost.exe

pid	process
116	File.exe
2460	svhost.exe
2540	tmp.exe
1876	svhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

march order lists-xlxs.exeFile.exe

description	pid	process	target process
PID 1132 set thread context of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 116 set thread context of 1876	116	File.exe	svhost.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1356 1876 WerFault.exe svhost.exe

pid	pid_target	process	target process
1356	1876	WerFault.exe	svhost.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

march order lists-xlxs.exeFile.exereg.execmd.exereg.exesvhost.exetmp.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	march order lists-xlxs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NTFS ADS 2 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

march order lists-xlxs.exeFile.exe

pid process

1132 march order lists-xlxs.exe
116 File.exe
1132 march order lists-xlxs.exe
116 File.exe

pid	process
1132	march order lists-xlxs.exe
116	File.exe
1132	march order lists-xlxs.exe
116	File.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

march order lists-xlxs.exeFile.exe

description	pid	process
Token: SeDebugPrivilege	1132	march order lists-xlxs.exe
Token: 33	1132	march order lists-xlxs.exe
Token: SeIncBasePriorityPrivilege	1132	march order lists-xlxs.exe
Token: SeDebugPrivilege	116	File.exe
Token: 33	116	File.exe
Token: SeIncBasePriorityPrivilege	116	File.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

march order lists-xlxs.exeFile.execmd.execmd.exe

description	pid	process	target process
PID 1132 wrote to memory of 116	1132	march order lists-xlxs.exe	File.exe
PID 1132 wrote to memory of 116	1132	march order lists-xlxs.exe	File.exe
PID 1132 wrote to memory of 116	1132	march order lists-xlxs.exe	File.exe
PID 1132 wrote to memory of 2464	1132	march order lists-xlxs.exe	cmd.exe
PID 1132 wrote to memory of 2464	1132	march order lists-xlxs.exe	cmd.exe
PID 1132 wrote to memory of 2464	1132	march order lists-xlxs.exe	cmd.exe
PID 1132 wrote to memory of 1220	1132	march order lists-xlxs.exe	cmd.exe
PID 1132 wrote to memory of 1220	1132	march order lists-xlxs.exe	cmd.exe
PID 1132 wrote to memory of 1220	1132	march order lists-xlxs.exe	cmd.exe
PID 116 wrote to memory of 1760	116	File.exe	cmd.exe
PID 116 wrote to memory of 1760	116	File.exe	cmd.exe
PID 116 wrote to memory of 1760	116	File.exe	cmd.exe
PID 116 wrote to memory of 5000	116	File.exe	cmd.exe
PID 116 wrote to memory of 5000	116	File.exe	cmd.exe
PID 116 wrote to memory of 5000	116	File.exe	cmd.exe
PID 1220 wrote to memory of 3644	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 3644	1220	cmd.exe	reg.exe
PID 1220 wrote to memory of 3644	1220	cmd.exe	reg.exe
PID 5000 wrote to memory of 4888	5000	cmd.exe	reg.exe
PID 5000 wrote to memory of 4888	5000	cmd.exe	reg.exe
PID 5000 wrote to memory of 4888	5000	cmd.exe	reg.exe
PID 1132 wrote to memory of 4396	1132	march order lists-xlxs.exe	cmd.exe
PID 1132 wrote to memory of 4396	1132	march order lists-xlxs.exe	cmd.exe
PID 1132 wrote to memory of 4396	1132	march order lists-xlxs.exe	cmd.exe
PID 116 wrote to memory of 3440	116	File.exe	cmd.exe
PID 116 wrote to memory of 3440	116	File.exe	cmd.exe
PID 116 wrote to memory of 3440	116	File.exe	cmd.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 1132 wrote to memory of 2460	1132	march order lists-xlxs.exe	svhost.exe
PID 116 wrote to memory of 2540	116	File.exe	tmp.exe
PID 116 wrote to memory of 2540	116	File.exe	tmp.exe
PID 116 wrote to memory of 2540	116	File.exe	tmp.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe
PID 116 wrote to memory of 1876	116	File.exe	svhost.exe

C:\Users\Admin\AppData\Local\Temp\march order lists-xlxs.exe
"C:\Users\Admin\AppData\Local\Temp\march order lists-xlxs.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/File.exe" "%temp%\FolderN\name.exe" /Y
3⤵
- System Location Discovery: System Language Discovery
PID:1760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
4⤵
- System Location Discovery: System Language Discovery
PID:4888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
3⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3440

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
3⤵
- Executes dropped EXE
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 360
4⤵
- Program crash
PID:1356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/march order lists-xlxs.exe" "%temp%\FolderN\name.exe" /Y
2⤵
- System Location Discovery: System Language Discovery
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
3⤵
- System Location Discovery: System Language Discovery
PID:3644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4396

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1876 -ip 1876
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe

Filesize
518KB

MD5
af89af4000c5ce1ab950555691e0cafe

SHA1
cccbfd7a0d06b9bfcaa7dc998bdd11bdb908544d

SHA256
113076d9de3c2c59c62c67c1ad5c1401295ff69e8764d2140150d735b06d5035

SHA512
2bb4e85323c1a18aba78d89fc6c7b044bc7342d6f1fbdbe19d524419797007d3cef77accc91dfbe33ce5c4ef70e8917060a2fc6a56828615b23ab2f97c79a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk

Filesize
1KB

MD5
c11df9b7c6e4a701deaaa04bd0dcf25d

SHA1
28e4490a3413162d4b852b85ab365254b672beed

SHA256
f682721eb915b3f8bd31f733f51ebf902bd45c88b16b4258966434595a74b143

SHA512
a8a2c791334fcfe28a7cd4dbc885273191902a59a8e10c67d9e37ec44bec1061e2e69b348899788c16a0e6322a30e5e04d9b554c92480fd5c73ddf3b1e54fd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
256KB

MD5
8fdf47e0ff70c40ed3a17014aeea4232

SHA1
e6256a0159688f0560b015da4d967f41cbf8c9bd

SHA256
ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82

SHA512
bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
112KB

MD5
bae2b04e1160950e570661f55d7cd6f8

SHA1
f4abc073a091292547dda85d0ba044cab231c8da

SHA256
ab0744c19af062c698e94e8eb9ee0e67bcf9a078f53d2a6a848406e2413c4d59

SHA512
1bfef1217a6e2ecacee407eed70df9205cbfabb4ddfe06fcc11a7ddf2b42262ec3ab61421474b56b338fa76ffea9beac73530650d39eff61dffcfc25a7fe45b6

Download Submit
memory/116-20-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/116-60-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/116-56-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/116-21-0x0000000005710000-0x0000000005732000-memory.dmp

Filesize
136KB

Download
memory/116-18-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/116-19-0x0000000000DC0000-0x0000000000E46000-memory.dmp

Filesize
536KB

Download
memory/1132-6-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/1132-54-0x00000000750DE000-0x00000000750DF000-memory.dmp

Filesize
4KB

Download
memory/1132-5-0x0000000005220000-0x00000000052C6000-memory.dmp

Filesize
664KB

Download
memory/1132-1-0x0000000000450000-0x0000000000540000-memory.dmp

Filesize
960KB

Download
memory/1132-4-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/1132-58-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/1132-3-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/1132-2-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/1132-55-0x00000000750D0000-0x0000000075880000-memory.dmp

Filesize
7.7MB

Download
memory/1132-0-0x00000000750DE000-0x00000000750DF000-memory.dmp

Filesize
4KB

Download
memory/1876-52-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1876-50-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/2460-37-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2460-35-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2540-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads