azorult | bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31 | Triage

Submit
Reports

Overview

overview

Static

static

3

9232b6170f...18.exe

windows7-x64

9232b6170f...18.exe

windows10-2004-x64

Sharing

General

Target

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118
Size

11.3MB
Sample

240603-sdp41sac6w
MD5

9232b6170f9de848c09d42c7f1eb5f4c
SHA1

accb42982aee08d653885af850c4c47454b3a8d8
SHA256

bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31
SHA512

4ecc116f704992f317addab60aaf32c203b0e7447c3ce3b275f68660db30322080135cb214f534a078ed496283db3ecae99bd142d1cce104da56765e40cd664b
SSDEEP

196608:FRhX3VojgFA1yqyBRzIyLVHsbGaSnDzMOt:FDcgK1yqqpxAGa+zbt

Score

10^/10

azorult netwire botnet infostealer persistence rat stealer trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe

Resource

win7-20240508-en

azorult netwire botnet infostealer persistence rat stealer trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118.exe

Resource

win10v2004-20240508-en

azorult netwire botnet infostealer persistence rat stealer trojan

windows10-2004-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

azorult

C2

http://abnmz.akrn12.com/index.php

Extracted

Family

netwire

C2

ptmk2.ddns.net:8906

Attributes

activex_autorun
true
activex_key
{2BH726K8-04UQ-82YA-EVO8-RCTPBP542701}
copy_executable
true
delete_original
true
host_id
HostId-%Rand%
install_path
%AppData%\Install\Skyype.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
mutex
DkDoPqeJ
offline_keylogger
true
password
Ratrat123$
registry_autorun
true
startup_name
NetW
use_mutex
true

Targets

- Target
  
  9232b6170f9de848c09d42c7f1eb5f4c_JaffaCakes118
- Size
  
  11.3MB
- MD5
  
  9232b6170f9de848c09d42c7f1eb5f4c
- SHA1
  
  accb42982aee08d653885af850c4c47454b3a8d8
- SHA256
  
  bfb0dce9969d9b345e32c9e78c7c1160014274fd9b192b321de06165c7297c31
- SHA512
  
  4ecc116f704992f317addab60aaf32c203b0e7447c3ce3b275f68660db30322080135cb214f534a078ed496283db3ecae99bd142d1cce104da56765e40cd664b
- SSDEEP
  
  196608:FRhX3VojgFA1yqyBRzIyLVHsbGaSnDzMOt:FDcgK1yqqpxAGa+zbt
Score

10^/10

azorult netwire botnet infostealer persistence rat stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Modifies Installed Components in the registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

azorultnetwirebotnetinfostealerpersistenceratstealertrojan

behavioral2

azorultnetwirebotnetinfostealerpersistenceratstealertrojan

© 2018-2024

Terms | Privacy