General
-
Target
32ac532ceca81717cd524baf4aad6c30.exe
-
Size
619KB
-
Sample
220818-hd2spsafcm
-
MD5
32ac532ceca81717cd524baf4aad6c30
-
SHA1
6f4f5b4f276e7ef23663c422ecc724a3226d4e5d
-
SHA256
65020d58d04109f2e8f46d12e43aeee9e98ec182db4bd4a2b2c336978e696c06
-
SHA512
5f77ba191939a8ff1b56af817ed1cbccbea217e888c20cd89317266d6fea02b69dc112f3c5a24769c7100d92ecc20329c79f437c466cf3d72637589bb02b3c11
-
SSDEEP
12288:JyCfVTf9z/a3mOT6OJTVEWz8EBSTUsizXCYecT6x9zz+ovV1duc/anK:JrTLOJTVeimzcTEpz+oHduiu
Static task
static1
Behavioral task
behavioral1
Sample
32ac532ceca81717cd524baf4aad6c30.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
32ac532ceca81717cd524baf4aad6c30.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
azorult
http://195.245.112.115/index.php
Extracted
remcos
08172022
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
scaxs.dat
-
keylog_flag
false
-
keylog_folder
foracbas
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
sdfxyttyvcweghfgfhtd-EE5ET5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
32ac532ceca81717cd524baf4aad6c30.exe
-
Size
619KB
-
MD5
32ac532ceca81717cd524baf4aad6c30
-
SHA1
6f4f5b4f276e7ef23663c422ecc724a3226d4e5d
-
SHA256
65020d58d04109f2e8f46d12e43aeee9e98ec182db4bd4a2b2c336978e696c06
-
SHA512
5f77ba191939a8ff1b56af817ed1cbccbea217e888c20cd89317266d6fea02b69dc112f3c5a24769c7100d92ecc20329c79f437c466cf3d72637589bb02b3c11
-
SSDEEP
12288:JyCfVTf9z/a3mOT6OJTVEWz8EBSTUsizXCYecT6x9zz+ovV1duc/anK:JrTLOJTVeimzcTEpz+oHduiu
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-