azorult

Target

advbattoexeconverter.exe
Size

804KB
Sample

240418-ts28kaae71
MD5

83bb1b476c7143552853a2cf983c1142
SHA1

8ff8ed5c533d70a7d933ec45264dd700145acd8c
SHA256

af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
SHA512

6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
SSDEEP

24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
109.248.203.81
Port:
21
Username:
alex
Password:
easypassword

Extracted

Family

warzonerat

168.61.222.215:5400

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

netwire

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
AAAAA
lock_executable
false
mutex
CQbRXVuG
offline_keylogger
false
password
jhbkdcfgvdfgknl
registry_autorun
false
use_mutex
true

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  advbattoexeconverter.exe
- Size
  
  804KB
- MD5
  
  83bb1b476c7143552853a2cf983c1142
- SHA1
  
  8ff8ed5c533d70a7d933ec45264dd700145acd8c
- SHA256
  
  af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb
- SHA512
  
  6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a
- SSDEEP
  
  24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r
Score

10^/10

azorult crimsonrat modiloader netwire njrat revengerat rms wannacry warzonerat guest botnet discovery evasion infostealer macro macro_on_action persistence ransomware rat rezer0 stealer trojan upx worm
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- CrimsonRAT main payload
- CrimsonRat
  Crimson RAT is a malware linked to a Pakistani-linked threat actor.
  rat crimsonrat
- ModiLoader, DBatLoader
  ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
  trojan modiloader
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Modifies visiblity of hidden/system files in Explorer
  evasion
- NetWire RAT payload
  rat
- Netwire
  Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
  botnet stealer netwire
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- RMS
  Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
  trojan rat rms
- RevengeRAT
  Remote-access trojan with a wide range of capabilities.
  trojan revengerat
- UAC bypass
  evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Windows security bypass
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Grants admin privileges
  Uses net.exe to modify the user's privileges.
- ModiLoader First Stage
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- RevengeRat Executable
  stealer
- Warzone RAT payload
  rat
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies Windows Firewall
  evasion
- Office macro that triggers on suspicious action
  Office document macro which triggers in special circumstances - often malicious.
  macro macro_on_action
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Stops running service(s)
  evasion
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Uses the VBS compiler for execution
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Modifies WinLogon
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1