Resubmissions

06-08-2024 13:23

240806-qna2qszgkp 10

06-08-2024 13:20

240806-qla9qazfpm 7

General

  • Target

    Robokits_USB_BT_18_ServoCon_Setup_V82.exe

  • Size

    3.1MB

  • Sample

    240806-qna2qszgkp

  • MD5

    e0017606ff7935c846769b617a522c90

  • SHA1

    ccbc102781a64f7936310e8f25028101ac3ff353

  • SHA256

    0226f723ff835d0b46269c1b896fa18fef0a8ed24dc3c72872dcf4cb45be90f9

  • SHA512

    b904262e8eea28f2229f6b670cf0240314626a8736aa90ed86f7c254cbe461190f1ba0976794b08dd11242b577c29bf3b2d5d767d910ad48889697a0e0cc34c5

  • SSDEEP

    49152:sN26FOnzGn6LJvqkwnpC+mWd6uIcc+vo7dP6dF/WPxDz0peWUiz8ahxkYu:s06FOznLo0+Dd6uxc+vqYdF/WPxDIXxI

Malware Config

Extracted

Family

azorult

C2

http://boglogov.site/index.php

Targets

    • Target

      Robokits_USB_BT_18_ServoCon_Setup_V82.exe

    • Size

      3.1MB

    • MD5

      e0017606ff7935c846769b617a522c90

    • SHA1

      ccbc102781a64f7936310e8f25028101ac3ff353

    • SHA256

      0226f723ff835d0b46269c1b896fa18fef0a8ed24dc3c72872dcf4cb45be90f9

    • SHA512

      b904262e8eea28f2229f6b670cf0240314626a8736aa90ed86f7c254cbe461190f1ba0976794b08dd11242b577c29bf3b2d5d767d910ad48889697a0e0cc34c5

    • SSDEEP

      49152:sN26FOnzGn6LJvqkwnpC+mWd6uIcc+vo7dP6dF/WPxDz0peWUiz8ahxkYu:s06FOznLo0+Dd6uxc+vqYdF/WPxDIXxI

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Modifies Windows Defender Real-time Protection settings

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    • UAC bypass

    • Windows security bypass

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Stops running service(s)

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Hide Artifacts: Hidden Users

MITRE ATT&CK Enterprise v15

Tasks