azorult

General

Target

e5e6dc2c08d6d34b5427ca50ecba3431.bin
Size

2.9MB
Sample

230412-fdam4shh58
MD5

89db7436b7af81e0df3733c76e9b3337
SHA1

45bd4f823b23d406456019fb4e4715150a9188c1
SHA256

b0e270a50d275af5736fb557f385e095dac5dd5a7a8ce7dc0985a1f822637bf6
SHA512

a10d6746a9d8606bc7dd5c2a2f1646f41a53a982f2f9a7fe208b85e658116436a0c2a0df1cc6cf727fa74b9951d0842b4ceb5ad7c4b586aeb339bf5ceee1fc78
SSDEEP

49152:IUFv4zYjrrm8xpIAfjARr9LN5gTnPJbJU/fks6sUCq8BSmD3uXnGBEDOT/pbIx6j:IUlHjXFCAf8RrhNSPJbi/9XSmD3uXGBn

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

04072023

C2

petronian.ac.ug:65213

marcapinyo.ug:65213

platitinas.ac.ug:65213

masontralacs.ug:65213

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
revcs.exe
copy_folder
sdf
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
vdqfxs.dat
keylog_flag
false
keylog_folder
fssvcs
keylog_path
%AppData%
mouse_option
false
mutex
fddskhjvcnkmlrf-60PZ8U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remvc
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

- Target
  
  4130ce135fbfab00618f261a0397e88479d2f61e1ed0d09ebcde525439774f3e.exe
- Size
  
  7.2MB
- MD5
  
  e5e6dc2c08d6d34b5427ca50ecba3431
- SHA1
  
  99e978ac35c3a33b075c4dbdab1e175c361e2396
- SHA256
  
  4130ce135fbfab00618f261a0397e88479d2f61e1ed0d09ebcde525439774f3e
- SHA512
  
  ef7dc22decefa854deb71713c662ffb28500bb8e0660a1da81f93bc517ffc9c6614200c9e0cdbd14d10599926358a4090c7ff9dc7e6b9a8315de13ec11c50a0c
- SSDEEP
  
  49152:A1H4VI6/UGwPVGv8i5aU0Bc21/K2Xd8nGozc30kaZt3DJIHo1fmHp+d2Zcxb2W7k:TD8GwVAn29XbozcEX7
Score

10^/10

azorult remcos rhadamanthys 04072023 collection discovery infostealer persistence rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Detect rhadamanthys stealer shellcode
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2