General
-
Target
7868056328.zip
-
Size
228KB
-
Sample
220829-h2q14sddgl
-
MD5
4b79671c26e3e0148bf6b07a34ce4f6f
-
SHA1
e8bde3fb36efa795de1a2dd6be9f1fa6f5156cfa
-
SHA256
0463f3559e3f5ed005143bc3d4c62d4416daa5b2e907445cfa29b3e8b134176c
-
SHA512
032601d0bb96614af6c965b937f33c465da563129422f32192e80bc510b65030e9a090c3b28b25650cdc2436837d3367760809f5f581616bb9cd7a6adb901ad4
-
SSDEEP
3072:gT4R927JzneVnARKh+30gInz0rWJd2aLgfUrxDmVoTqeZq8NJ2nDaS8klEnAYzS0:fRo7J8aKpnzAwd2awU/DZqbaeYzSckkP
Static task
static1
Behavioral task
behavioral1
Sample
ce79cce6a2b5bfeece99a073f8da768e14b577a9feea0d3d9342aef9cb3ae3be.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ce79cce6a2b5bfeece99a073f8da768e14b577a9feea0d3d9342aef9cb3ae3be.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://timekeeper.ug/pps.ps1
Extracted
http://boundertime.ru/pps.ps1
Extracted
http://timebounder.ru/pps.ps1
Extracted
raccoon
c72b6d5f030077b948b2195ace4fb456
http://193.106.191.146/
http://185.215.113.89/
Extracted
azorult
http://195.245.112.115/index.php
Extracted
remcos
08172022
nikahuve.ac.ug:6968
kalskala.ac.ug:6968
tuekisaa.ac.ug:6968
parthaha.ac.ug:6968
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
scaxs.dat
-
keylog_flag
false
-
keylog_folder
foracbas
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
sdfxyttyvcweghfgfhtd-EE5ET5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
ce79cce6a2b5bfeece99a073f8da768e14b577a9feea0d3d9342aef9cb3ae3be
-
Size
283KB
-
MD5
424ed5bcaae063a7724c49cdd93138f5
-
SHA1
7b445a485c424091a35a12176e99571fc667c0fb
-
SHA256
ce79cce6a2b5bfeece99a073f8da768e14b577a9feea0d3d9342aef9cb3ae3be
-
SHA512
9f9c852e1954eebd0b00975e1ba6006f7c65333fcb8762cd4fef1be01b5f51ff48b274c25402a9b9870a9ee3f4e4ede38aceadfcf5a0b856be4851926447fa5e
-
SSDEEP
6144:iqaEtwVHhi/gZJayQPgw3x6iNVE8ykU5:i6YHnvqPgwHbfy3
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-