azorult

General

Target

Kepserverex_5_5_14_493_crack_by_CORE.exe
Size

12.4MB
Sample

210217-827adyjx1n
MD5

9744202483058d82e7f86bbee9bc6b5a
SHA1

4dd50352acac91dcbc485738117a608c7805404e
SHA256

f3bb7544807de64fc3ea293a82cc45a99874721f4c1f2a0b62a3a2953c3efd55
SHA512

7fa834e24977b51f457619748b3d3a3785211295fc0d94ef7f4eda270c66236a5310fc2741c07c8cba29013a2b637c05ab2713c757533be391dc65fb21b78f58

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

310b6bfba897d478c7212dc7fdbe942b00728875

Attributes

url4cnc
https://telete.in/j9ca1pel

rc4.plain

Targets

- Target
  
  Kepserverex_5_5_14_493_crack_by_CORE.exe
- Size
  
  12.4MB
- MD5
  
  9744202483058d82e7f86bbee9bc6b5a
- SHA1
  
  4dd50352acac91dcbc485738117a608c7805404e
- SHA256
  
  f3bb7544807de64fc3ea293a82cc45a99874721f4c1f2a0b62a3a2953c3efd55
- SHA512
  
  7fa834e24977b51f457619748b3d3a3785211295fc0d94ef7f4eda270c66236a5310fc2741c07c8cba29013a2b637c05ab2713c757533be391dc65fb21b78f58
Score

10^/10

azorult plugx pony raccoon redline 310b6bfba897d478c7212dc7fdbe942b00728875 bootkit discovery evasion infostealer macro persistence rat spyware stealer trojan xlm
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Modifies system executable filetype association
  persistence
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Registers COM server for autorun
  persistence
- Nirsoft
- Executes dropped EXE
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2