Resubmissions

26-12-2020 12:58

201226-94s8r7f8lj 10

26-12-2020 12:53

201226-lkvqd8lr6s 10

General

  • Target

    Сracknet.netSmartMovie_v3_25_keygen_by_KeygenNinja.bin.zip

  • Size

    8.3MB

  • Sample

    201226-lkvqd8lr6s

  • MD5

    5c373f4a8ff01aebaf1631f7ceeb9d6e

  • SHA1

    a7df1bd423050508fe18ec240887d1a67c00cf8b

  • SHA256

    e0a8b06aba592ff8737f5ee2364c6e1b35ef1def2704f29e96535ba9320d34d1

  • SHA512

    d62fd01f4cdf8338eae1d4ddaee2cfc7e2c9818bc78369e3441c96b482c8c98a6bf42923eef181f76aa4e3f738b387de72f8bb1ef98114183d2e04f4da8b45b2

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

    • Target

      SmartMovie_v3_25_keygen_by_KeygenNinja.bin

    • Size

      8.4MB

    • MD5

      151ded4b441404ee750ec8e145033231

    • SHA1

      d457cbc70792b04975883f2132593abfca27d5e4

    • SHA256

      28944e1e246e9434af835f65c23305f7403c3d9204c31337f740282c92b63362

    • SHA512

      1bd75d8a47a921786d61dff739b49e31da5fbb94961b4ea5656702d080e6defc76a49881df51cea7269a65710a71a6e6d8082340c29655f4f3e103545fb9a028

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • JavaScript code in executable

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks