azorult

General

Target

[CRACKNET.NET]PW12345.Fireeye_Agent_11_8_crack_by_orion.exe
Size

8.1MB
Sample

210217-5erc2sewxj
MD5

244bb7935d2fec3494b7faf2f315e40e
SHA1

60fb433cc7557003dd0596a0e935b64909b8ab89
SHA256

cccf598d56193b450a92c6582293991fd28cdf1e66f6b8e19a4a4c946bffc1e1
SHA512

d199f8a7422ef7ae58514af3a9dbb5c1921b7af240021435281dd573e38a31cf23f7490427c52b70ec2d2e54df6cb026711441ebd1fb316cd6bc2c59a412a58e

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

310b6bfba897d478c7212dc7fdbe942b00728875

Attributes

url4cnc
https://telete.in/j9ca1pel

rc4.plain

Targets

- Target
  
  [CRACKNET.NET]PW12345.Fireeye_Agent_11_8_crack_by_orion.exe
- Size
  
  8.1MB
- MD5
  
  244bb7935d2fec3494b7faf2f315e40e
- SHA1
  
  60fb433cc7557003dd0596a0e935b64909b8ab89
- SHA256
  
  cccf598d56193b450a92c6582293991fd28cdf1e66f6b8e19a4a4c946bffc1e1
- SHA512
  
  d199f8a7422ef7ae58514af3a9dbb5c1921b7af240021435281dd573e38a31cf23f7490427c52b70ec2d2e54df6cb026711441ebd1fb316cd6bc2c59a412a58e
Score

10^/10

azorult pony raccoon 310b6bfba897d478c7212dc7fdbe942b00728875 bootkit discovery evasion infostealer macro persistence rat spyware stealer trojan upx xlm
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Nirsoft
- Executes dropped EXE
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3