Overview

overview

10

Static

static

10

intro.exe

windows7_x64

6

intro.exe

windows10_x64

6

keygen-pr.exe

windows7_x64

1

keygen-pr.exe

windows10_x64

1

keygen-step-1.exe

windows7_x64

10

keygen-step-1.exe

windows10_x64

10

keygen-step-3.exe

windows7_x64

7

keygen-step-3.exe

windows10_x64

1

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows10_x64

keygen.bat

windows7_x64

10

keygen.bat

windows10_x64

user32.dll

windows7_x64

1

user32.dll

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ElectraSoft_FaxMail_Network_keygen_by_aaocg.rar

  • Size

    8.1MB

  • Sample

    201226-8aeylkg1vs

  • MD5

    56d6e8df5b9d26878731473094326d37

  • SHA1

    059d5bf20f2322fadbf6316fa220dece2a0c45d3

  • SHA256

    7e8e67a93443ca5c5d3cf22e884eea3d67dadf685a74eaf02e7ca6b25aac62ef

  • SHA512

    cc481b562ba8dd0e1f00ea2e6facd5bbad39acee59af906e6978514351805e807077f89da0601b763e00c825fdd6abba099eb63fa9190fd9321ab6d0b8782be9

Score
10/10
azorultdjvuplugxponysmokeloadertofseevidarbackdoorbootkitdiscoveryevasioninfostealerpersistenceransomwareratspywarestealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/
rc4.i32
rc4.i32

Targets

    • Target

      intro.exe

    • Size

      144KB

    • MD5

      573a20aa042eede54472fb6140bdee70

    • SHA1

      3de8cba60af02e6c687f6312edcb176d897f7d81

    • SHA256

      2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3

    • SHA512

      86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      keygen-pr.exe

    • Size

      1.7MB

    • MD5

      65b49b106ec0f6cf61e7dc04c0a7eb74

    • SHA1

      a1f4784377c53151167965e0ff225f5085ebd43b

    • SHA256

      862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

    • SHA512

      e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

    Score
    1/10
    behavioral3behavioral4

    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult
    behavioral5behavioral6

    • Target

      keygen-step-3.exe

    • Size

      703KB

    • MD5

      ce25ea56c3e9ca0450231b86fd5ed130

    • SHA1

      2aec772872f0b6ce2dab37471c00a10f03abec8d

    • SHA256

      7f196afb312961e4c89fd07e3222b5b721e6ba9e00379f4faa141f113cb75059

    • SHA512

      a1b26d6da749e29187556668d61914afa7688a1e6d1616ef8d69448584c5b1e02fc1188cd1d23cbc3f0b347e9c01184b263fbb175d9b55ded2fcca0b75ae755e

    Score
    7/10

    • Deletes itself

    behavioral7behavioral8

    • Target

      keygen-step-4.exe

    • Size

      5.7MB

    • MD5

      4d5fdccc8008f4da22d1341baa275ffe

    • SHA1

      89f493c70474de63eb80ab32e00bc0781c87d84d

    • SHA256

      e8f5a52c3a638b81df8329b8862d9389714c41107ae41cf803fb9a45c4858592

    • SHA512

      6145556d0c8cb765f9f3e028e6ec280c0385baf4439f82c2eb458fb8b7abaa4e7ed9a9bc26c090266c3a5cd34076117a37c7ba571c3b916c7bc81ae08cd15cfb

    Score
    10/10
    plugxsmokeloaderbackdoorbootkitdiscoverypersistencespywaretrojanupxdjvutofseevidarevasionransomwarestealer

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

    • Target

      keygen.bat

    • Size

      146B

    • MD5

      98ee725f76d72ee9e9899a3fab9ba23b

    • SHA1

      45c34541a5b0aa0bb99043f6c39f49605ec4ebd8

    • SHA256

      ce6afc9a209c23efea91c9ce412abd19b882c1b3ac93fd26ed746eb05aebf2ff

    • SHA512

      369176b70962b18910fcbb876945873fcfb9bb251e845e3e601d38b38f3998c1808f45796be01eb5a6ccc585b2533bcf2c4d1d3e2fc63fd4fabba31e3b8c5b06

    Score
    10/10
    azorultplugxponysmokeloadertofseevidarbackdoorbootkitdiscoveryevasioninfostealerpersistenceratspywarestealertrojandjvuransomwareupx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      evasion

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Windows security bypass

      evasiontrojan

    • Creates new service(s)

      persistence

    • Disables Task Manager via registry modification

      evasion

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      user32.dll

    • Size

      1.6MB

    • MD5

      634fbe95ea4ef2e799b3d117dd9ec52e

    • SHA1

      09533551abefbc922b87d1c2553329abd328c387

    • SHA256

      1ba4bc4f000dd9263307357ffa42d83eb01f59bf28aec16ef2eb74e24683412e

    • SHA512

      7d3857623c2d6806ed56e436fba2aa72ee57978ed8261894c3d7bb97a9f747d87866ca1dfaa2bc21ea22de1544fe7daf223565b7f16d894d02219ea9a690b7cf

    Score
    1/10
    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2
T1059

Persistence

New Service

2
T1050

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

4
T1060

Bootkit

2
T1067

Privilege Escalation

New Service

2
T1050

Defense Evasion

Install Root Certificate

3
T1130

Modify Registry

11
T1112

Disabling Security Tools

4
T1089

File Permissions Modification

2
T1222

Credential Access

Credentials in Files

9
T1081

Discovery

Remote System Discovery

3
T1018

Query Registry

8
T1012

System Information Discovery

8
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

9
T1005

Exfiltration

Command and Control

Web Service

3
T1102

Impact

Tasks

static1

azorult
Score
10/10

behavioral1

Score
6/10

behavioral2

Score
6/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

azorultinfostealertrojan
Score
10/10

behavioral6

azorultinfostealertrojan
Score
10/10

behavioral7

Score
7/10

behavioral8

Score
1/10

behavioral9

plugxsmokeloaderbackdoorbootkitdiscoverypersistencespywaretrojanupx
Score
10/10

behavioral10

djvuplugxsmokeloadertofseevidarbackdoorbootkitdiscoveryevasionpersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral11

azorultplugxponysmokeloadertofseevidarbackdoorbootkitdiscoveryevasioninfostealerpersistenceratspywarestealertrojan
Score
10/10

behavioral12

azorultdjvuplugxsmokeloadertofseevidarbackdoorbootkitdiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojanupx
Score
10/10

behavioral13

Score
1/10

behavioral14

Score
1/10