azorult

General

Target

07d6b4373f270ffefd756cf6ae19a486.exe
Size

776KB
Sample

221006-hcxscsgec9
MD5

07d6b4373f270ffefd756cf6ae19a486
SHA1

bf202d7bf1b73cb6a022b67557a5b83168059b8d
SHA256

599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
SHA512

39ba2f248de3bd2bba8d8d5601c8afd10427ec3b98ed8ff976e09cf966ab9a0c103e9adb07be4ec7cf97ac981810a67b2960b154fdfda2eeac9a4e72d3038075
SSDEEP

6144:yBZFk0sdr9W7bSwMJlj9Ntm6Q2mCC//////////////////////////////////g:yBQ0sF9WPMJhfkjOy8n9a8n99

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

0ec468673cadb705e7aab6a7b0bb3906

C2

http://193.106.191.150/

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

remcos

Botnet

10052022

C2

nikahuve.ac.ug:6969

kalskala.ac.ug:6969

tuekisaa.ac.ug:6969

parthaha.ac.ug:6969

37.0.14.204:6969

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
vbaxs.dat
keylog_flag
false
keylog_folder
fsscbas
keylog_path
%AppData%
mouse_option
false
mutex
ascxsercvghfgsdmhj-SZVH2S
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  07d6b4373f270ffefd756cf6ae19a486.exe
- Size
  
  776KB
- MD5
  
  07d6b4373f270ffefd756cf6ae19a486
- SHA1
  
  bf202d7bf1b73cb6a022b67557a5b83168059b8d
- SHA256
  
  599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
- SHA512
  
  39ba2f248de3bd2bba8d8d5601c8afd10427ec3b98ed8ff976e09cf966ab9a0c103e9adb07be4ec7cf97ac981810a67b2960b154fdfda2eeac9a4e72d3038075
- SSDEEP
  
  6144:yBZFk0sdr9W7bSwMJlj9Ntm6Q2mCC//////////////////////////////////g:yBQ0sF9WPMJhfkjOy8n9a8n99
Score

10^/10

raccoon 0ec468673cadb705e7aab6a7b0bb3906 stealer azorult remcos 10052022 discovery infostealer persistence rat spyware trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2