azorult | ea34b776b896df9512f0aab37e3b0d56ff012a0906910a957db335f9e7dcf2d4 | Triage

Sharing

General

Target

ea34b776b896df9512f0aab37e3b0d56ff012a0906910a957db335f9e7dcf2d4
Size

454KB
Sample

220814-f2cglsacfq
MD5

2219e3d41d582ca9e23611de18433f68
SHA1

a5880e0e16382f90742e6fe6f858d15a488a7a66
SHA256

ea34b776b896df9512f0aab37e3b0d56ff012a0906910a957db335f9e7dcf2d4
SHA512

d85705ffec22e2cdc78372df30cb469482f842feda4e696c70ae63554c85712887a65779371c8a398baf791bb42266432ffd4a29b390b53b7ddb29e521d7586a

Score

10^/10

azorult remcos 08132022 infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

remcos

Botnet

08132022

C2

nikahuve.ac.ug:6968

kalskala.ac.ug:6968

tuekisaa.ac.ug:6968

parthaha.ac.ug:6968

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
scaxs.dat
keylog_flag
false
keylog_folder
foracbas
keylog_path
%AppData%
mouse_option
false
mutex
sdfxyttyvcweghfgfhtd-Z6835D
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  ea34b776b896df9512f0aab37e3b0d56ff012a0906910a957db335f9e7dcf2d4
- Size
  
  454KB
- MD5
  
  2219e3d41d582ca9e23611de18433f68
- SHA1
  
  a5880e0e16382f90742e6fe6f858d15a488a7a66
- SHA256
  
  ea34b776b896df9512f0aab37e3b0d56ff012a0906910a957db335f9e7dcf2d4
- SHA512
  
  d85705ffec22e2cdc78372df30cb469482f842feda4e696c70ae63554c85712887a65779371c8a398baf791bb42266432ffd4a29b390b53b7ddb29e521d7586a
Score

10^/10

azorult remcos 08132022 infostealer persistence rat spyware trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

azorultremcos08132022infostealerpersistenceratspywaretrojan