General
-
Target
d15d23927ebb3663b119dc9ece4e6f4c.exe
-
Size
1.2MB
-
Sample
210723-6arjz879je
-
MD5
d15d23927ebb3663b119dc9ece4e6f4c
-
SHA1
f0854a4cd8a69b3b1c8192152d3840cc6292331e
-
SHA256
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
-
SHA512
66f1a310e26637c02023d97a954761f420dbff0b3f97714527a9abade2b60cd97af203a59d3c2464cb4d894d1d4210f33ed1226c5a4ee64fa7ab464f5f7e5c8e
Static task
static1
Behavioral task
behavioral1
Sample
d15d23927ebb3663b119dc9ece4e6f4c.exe
Resource
win7v20210408
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
danielmax.ac.ug
Extracted
asyncrat
0.5.7B
omomom.ac.ug:6970
omkarusdajvc.ac.ug:6970
6SI8OkPnkxzcasd
-
aes_key
sEiaxlqpFmHMU8l5j0Ycz8apFoEBTERY
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
XX
-
host
omomom.ac.ug,omkarusdajvc.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
6SI8OkPnkxzcasd
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Targets
-
-
Target
d15d23927ebb3663b119dc9ece4e6f4c.exe
-
Size
1.2MB
-
MD5
d15d23927ebb3663b119dc9ece4e6f4c
-
SHA1
f0854a4cd8a69b3b1c8192152d3840cc6292331e
-
SHA256
299c548532e82b62f4b52ad642613b9cecc89c9be39a1da630afbc06cb7cce85
-
SHA512
66f1a310e26637c02023d97a954761f420dbff0b3f97714527a9abade2b60cd97af203a59d3c2464cb4d894d1d4210f33ed1226c5a4ee64fa7ab464f5f7e5c8e
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
BitRAT Payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M3
-
Async RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-