azorult | 04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079 | Triage

Sharing

General

Target

7a1618c1616dae2aa4402b2f9f0febc7.exe
Size

1.1MB
Sample

220818-hdgsjadff2
MD5

7a1618c1616dae2aa4402b2f9f0febc7
SHA1

0864cf603f4e06a32f3ae266a557d14055d4a34a
SHA256

04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079
SHA512

265b51572fd2087e597e49a0f92e48a3469ae177c2751267a3b113e19dbacd2ec5dd10e16e89d4ca0b854a28eae19f70130ff0c133861fee2d7ffa11cf2f0318
SSDEEP

3072:CsCrC5C51grFd75sRnuiiNi1tq/5Olg+x7Plk+Bic:41grf2QlysOl5PZf

Score

10^/10

azorult remcos 08172022 discovery infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

remcos

Botnet

08172022

C2

nikahuve.ac.ug:6968

kalskala.ac.ug:6968

tuekisaa.ac.ug:6968

parthaha.ac.ug:6968

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
scaxs.dat
keylog_flag
false
keylog_folder
foracbas
keylog_path
%AppData%
mouse_option
false
mutex
sdfxyttyvcweghfgfhtd-EE5ET5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  7a1618c1616dae2aa4402b2f9f0febc7.exe
- Size
  
  1.1MB
- MD5
  
  7a1618c1616dae2aa4402b2f9f0febc7
- SHA1
  
  0864cf603f4e06a32f3ae266a557d14055d4a34a
- SHA256
  
  04fb5a1f6082a09a55bec26e0748918da0d1007e2a43c70723dc79cc7c413079
- SHA512
  
  265b51572fd2087e597e49a0f92e48a3469ae177c2751267a3b113e19dbacd2ec5dd10e16e89d4ca0b854a28eae19f70130ff0c133861fee2d7ffa11cf2f0318
- SSDEEP
  
  3072:CsCrC5C51grFd75sRnuiiNi1tq/5Olg+x7Plk+Bic:41grf2QlysOl5PZf
Score

10^/10

azorult remcos 08172022 discovery infostealer persistence rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

azorultremcos08172022discoveryinfostealerpersistenceratspywarestealertrojan

behavioral2

azorultremcos08172022discoveryinfostealerpersistenceratspywarestealertrojan