azorult

General

Target

[CRACKNET.NET]PW12345Kasperky.anty.virus.personal.keygen.by.F4CG.exe
Size

8.1MB
Sample

210217-7369cw2s8e
MD5

ec4795ef648262d5b0a12048c9903a4a
SHA1

05daffef0b4fc04a73f211cff292fc1f4a307a15
SHA256

73c99f67daafb08c39cfe51e3e20a69cf04947639d3a2067092a292a3c23f012
SHA512

edb8f117941829124bd5015d401022d3e9a725559a3e0c1fb1c7060d997e2c728170c300bb8f067f8df5a88f347c01e6c55e90fab99e8c2de7bc93e6384d20fe

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

310b6bfba897d478c7212dc7fdbe942b00728875

Attributes

url4cnc
https://telete.in/j9ca1pel

rc4.plain

Targets

- Target
  
  [CRACKNET.NET]PW12345Kasperky.anty.virus.personal.keygen.by.F4CG.exe
- Size
  
  8.1MB
- MD5
  
  ec4795ef648262d5b0a12048c9903a4a
- SHA1
  
  05daffef0b4fc04a73f211cff292fc1f4a307a15
- SHA256
  
  73c99f67daafb08c39cfe51e3e20a69cf04947639d3a2067092a292a3c23f012
- SHA512
  
  edb8f117941829124bd5015d401022d3e9a725559a3e0c1fb1c7060d997e2c728170c300bb8f067f8df5a88f347c01e6c55e90fab99e8c2de7bc93e6384d20fe
Score

10^/10

bootkit ransomware azorult pony raccoon 310b6bfba897d478c7212dc7fdbe942b00728875 discovery evasion infostealer macro persistence rat spyware stealer trojan upx xlm
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- Nirsoft
- Executes dropped EXE
- Modifies WinLogon to allow AutoLogon
  Enables rebooting of the machine without requiring login credentials.
  ransomware bootkit
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4