azorult

General

Target

[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe
Size

9.0MB
Sample

210217-5vhra6v2pn
MD5

10a7ec6eec9d29e7cf84477015651b65
SHA1

c6b132ff8919f5da4959d68b5a9cf86919ccebee
SHA256

a252756f1326333e8587740cfecad63d80ffd26dd49d6b9699d685fb5096b730
SHA512

34c53db9f782e6899004673c3c531b58aacc2153554fd2ca06b47d80d21f8d536912f4ec7f7336738e24b034f5a567b32cf99015ee8c01259902b63a86722aaa

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

310b6bfba897d478c7212dc7fdbe942b00728875

Attributes

url4cnc
https://telete.in/j9ca1pel

rc4.plain

Targets

- Target
  
  [CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe
- Size
  
  9.0MB
- MD5
  
  10a7ec6eec9d29e7cf84477015651b65
- SHA1
  
  c6b132ff8919f5da4959d68b5a9cf86919ccebee
- SHA256
  
  a252756f1326333e8587740cfecad63d80ffd26dd49d6b9699d685fb5096b730
- SHA512
  
  34c53db9f782e6899004673c3c531b58aacc2153554fd2ca06b47d80d21f8d536912f4ec7f7336738e24b034f5a567b32cf99015ee8c01259902b63a86722aaa
Score

10^/10

azorult plugx pony raccoon redline 310b6bfba897d478c7212dc7fdbe942b00728875 bootkit discovery evasion infostealer macro persistence rat spyware stealer trojan xlm
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Nirsoft
- Executes dropped EXE
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4