Overview

overview

10

Static

static

10

keygen-pr.exe

windows7_x64

1

keygen-pr.exe

windows10_x64

1

keygen-step-1.exe

windows7_x64

10

keygen-step-1.exe

windows10_x64

10

keygen-step-3.exe

windows7_x64

7

keygen-step-3.exe

windows10_x64

1

keygen-step-4.exe

windows7_x64

10

keygen-step-4.exe

windows10_x64

10

keygen.bat

windows7_x64

10

keygen.bat

windows10_x64

10

Resubmissions

18-02-2021 10:24

210218-l1aaz1rfd6 10

17-02-2021 21:35

210217-2esapajnj2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    z.rar

  • Size

    8.7MB

  • Sample

    210217-2esapajnj2

  • MD5

    439e00a52e27f2a9c653cb58031277c3

  • SHA1

    3d96d6337c31d0345a85ceae45bebf15d26ea695

  • SHA256

    4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209

  • SHA512

    4bc57dbda7e07d3a4b8e957bcdcdb5d5e8dfe7b34a23cb4ead4781423dc5922bc2a8ccf9c8b6b6e2c8689aca6f52fdca67b17ca5c94f236e86cba2cf009a4866

Score
10/10
azorultplugxponyraccoonredline310b6bfba897d478c7212dc7fdbe942b00728875bootkitdiscoveryevasioninfostealermacropersistenceratspywarestealertrojanupxxlm

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

310b6bfba897d478c7212dc7fdbe942b00728875

Attributes
  • url4cnc

    https://telete.in/j9ca1pel

rc4.plain
rc4.plain

Targets

    • Target

      keygen-pr.exe

    • Size

      1.7MB

    • MD5

      65b49b106ec0f6cf61e7dc04c0a7eb74

    • SHA1

      a1f4784377c53151167965e0ff225f5085ebd43b

    • SHA256

      862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

    • SHA512

      e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

    Score
    1/10
    behavioral1behavioral2

    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult
    behavioral3behavioral4

    • Target

      keygen-step-3.exe

    • Size

      704KB

    • MD5

      62d2a07135884c5c8ff742c904fddf56

    • SHA1

      46ce1f7fdf8b4cb2abe479efd5f352db9728a40b

    • SHA256

      a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81

    • SHA512

      19c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519

    Score
    7/10

    • Deletes itself

    behavioral5behavioral6

    • Target

      keygen-step-4.exe

    • Size

      6.8MB

    • MD5

      38f1d6ddf7e39767157acbb107e03250

    • SHA1

      dcb0d5feacb80c1e4cbb71a30cff7edf10a185e8

    • SHA256

      97ada84ef77a3b45abd2e14caf519e06bbbad5a6ed180aa6ee543e38e9bce796

    • SHA512

      3ba909b5001a3b995ebe8f9dbd4ddb6506a5c66612cf43e94a50f72c543a9aa4828bbba224db807de10076c5e70fabf7cc31bf8e442a3f4cf26d95c7f7094c2d

    Score
    10/10
    plugxraccoonredline310b6bfba897d478c7212dc7fdbe942b00728875bootkitdiscoveryinfostealermacropersistencespywarestealertrojanxlmevasionupx

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Nirsoft

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      keygen.bat

    • Size

      123B

    • MD5

      f2632c204f883c59805093720dfe5a78

    • SHA1

      c96e3aa03805a84fec3ea4208104a25a2a9d037e

    • SHA256

      f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

    • SHA512

      5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

    Score
    10/10
    azorultplugxponyraccoonredline310b6bfba897d478c7212dc7fdbe942b00728875bootkitdiscoveryinfostealermacropersistenceratspywarestealertrojanxlmevasion

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • Nirsoft

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spyware

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spyware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral9behavioral10

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Bootkit

2
T1067

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

2
T1130

Credential Access

Credentials in Files

7
T1081

Discovery

Remote System Discovery

3
T1018

Query Registry

6
T1012

System Information Discovery

8
T1082

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Data from Local System

7
T1005

Exfiltration

Command and Control

Web Service

2
T1102

Impact

Tasks

static1

azorult
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

azorultinfostealertrojan
Score
10/10

behavioral4

azorultinfostealertrojan
Score
10/10

behavioral5

Score
7/10

behavioral6

Score
1/10

behavioral7

plugxraccoonredline310b6bfba897d478c7212dc7fdbe942b00728875bootkitdiscoveryinfostealermacropersistencespywarestealertrojanxlm
Score
10/10

behavioral8

plugxraccoonredline310b6bfba897d478c7212dc7fdbe942b00728875bootkitdiscoveryevasioninfostealermacropersistencespywarestealertrojanupxxlm
Score
10/10

behavioral9

azorultplugxponyraccoonredline310b6bfba897d478c7212dc7fdbe942b00728875bootkitdiscoveryinfostealermacropersistenceratspywarestealertrojanxlm
Score
10/10

behavioral10

azorultponybootkitdiscoveryevasioninfostealermacropersistenceratspywarestealertrojanxlm
Score
10/10