General
-
Target
2eaf147e46a106eaf7a6c8e618060e2f.exe
-
Size
817KB
-
Sample
210723-94ynslz13x
-
MD5
2eaf147e46a106eaf7a6c8e618060e2f
-
SHA1
b3419edba9585c0b5a9a3ece82592cb9893ae17e
-
SHA256
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
-
SHA512
71e172b10385b62c242208079da62b4d8a39422d9762e3164fe5ae2edbc7413386d7a3dc8fc1f8c4562d1b45bf6fa099adc4d7dcdbf73a63d860f26f8c39aa56
Static task
static1
Behavioral task
behavioral1
Sample
2eaf147e46a106eaf7a6c8e618060e2f.exe
Resource
win7v20210410
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
asyncrat
0.5.7B
omomom.ac.ug:6970
omkarusdajvc.ac.ug:6970
6SI8OkPnkxzcasd
-
aes_key
sEiaxlqpFmHMU8l5j0Ycz8apFoEBTERY
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
XX
-
host
omomom.ac.ug,omkarusdajvc.ac.ug
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
6SI8OkPnkxzcasd
-
pastebin_config
null
-
port
6970
-
version
0.5.7B
Extracted
oski
danielmax.ac.ug
Targets
-
-
Target
2eaf147e46a106eaf7a6c8e618060e2f.exe
-
Size
817KB
-
MD5
2eaf147e46a106eaf7a6c8e618060e2f
-
SHA1
b3419edba9585c0b5a9a3ece82592cb9893ae17e
-
SHA256
367fd8584be5901c9b262975ab5e5700e0e3010d697f1161b6aafabcc7f07d07
-
SHA512
71e172b10385b62c242208079da62b4d8a39422d9762e3164fe5ae2edbc7413386d7a3dc8fc1f8c4562d1b45bf6fa099adc4d7dcdbf73a63d860f26f8c39aa56
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
BitRAT Payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M16
-
Async RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-