General
-
Target
e0ee46172e94ab9aaed4f27dc2aab72a
-
Size
1.2MB
-
Sample
210718-4ns79sp9aa
-
MD5
e0ee46172e94ab9aaed4f27dc2aab72a
-
SHA1
4309302166ac0e8eb44d87c6f8d33d68ecb89edd
-
SHA256
37ab9185008d63309815a1bc846dcc7067374a8833b49f2bfa6f96fd784f35e9
-
SHA512
4aa6a7d9acecfd8555b045f157a6d4e1e9c6db8fa5d53426ca603cb5d72da237d6680313604eeee46fc671a0d6c6507ec6c345f2d5f2e4a4751891d508a15fc2
Static task
static1
Behavioral task
behavioral1
Sample
e0ee46172e94ab9aaed4f27dc2aab72a.exe
Resource
win7v20210410
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
erolbasa.ac.ug
Extracted
asyncrat
0.5.7B
icando.ug:6970
icacxndo.ac.ug:6970
6SI8OkPnkxzcasd
-
aes_key
rkDO6u9Rg2tQZ5crWRxI7ttwjOqPWDog
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
XX
-
host
icando.ug,icacxndo.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
6SI8OkPnkxzcasd
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Targets
-
-
Target
e0ee46172e94ab9aaed4f27dc2aab72a
-
Size
1.2MB
-
MD5
e0ee46172e94ab9aaed4f27dc2aab72a
-
SHA1
4309302166ac0e8eb44d87c6f8d33d68ecb89edd
-
SHA256
37ab9185008d63309815a1bc846dcc7067374a8833b49f2bfa6f96fd784f35e9
-
SHA512
4aa6a7d9acecfd8555b045f157a6d4e1e9c6db8fa5d53426ca603cb5d72da237d6680313604eeee46fc671a0d6c6507ec6c345f2d5f2e4a4751891d508a15fc2
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
BitRAT Payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Async RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-