azorult

Sharing

Copy URL

Twitter E-mail

General

Target

[CRACHEAP.NET]PW12345Kristanix_Software_Password_keygen_by_KeygenNinja.exe
Size

9.2MB
Sample

210228-2fcasps6xs
MD5

ad902aa32e3899e0800521f9a32f988c
SHA1

4f1a7ac4ce37f8fcf31802f73193d3e9a706115a
SHA256

cbdca73f35a74084333ad849b15742bed455e5bfd4ce24edb202e71586c4d77f
SHA512

631c091108d386b35d50464846fbeae2eff44480d3903866d15ac1ac61ae27eecf2361ac60a7539ca034daec8a63e161ffd66488fdae653546baf0407e11ca43

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Targets

- Target
  
  [CRACHEAP.NET]PW12345Kristanix_Software_Password_keygen_by_KeygenNinja.exe
- Size
  
  9.2MB
- MD5
  
  ad902aa32e3899e0800521f9a32f988c
- SHA1
  
  4f1a7ac4ce37f8fcf31802f73193d3e9a706115a
- SHA256
  
  cbdca73f35a74084333ad849b15742bed455e5bfd4ce24edb202e71586c4d77f
- SHA512
  
  631c091108d386b35d50464846fbeae2eff44480d3903866d15ac1ac61ae27eecf2361ac60a7539ca034daec8a63e161ffd66488fdae653546baf0407e11ca43
Score

10^/10

azorult glupteba metasploit redline smokeloader tofsee vidar xmrig agilenet backdoor bootkit discovery dropper evasion infostealer loader macro miner persistence spyware stealer trojan xlm diamondfox raccoon 9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab botnet pony rat plugx taurus_stealer upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- DiamondFox
  DiamondFox is a multipurpose botnet with many capabilities.
  botnet stealer diamondfox
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Taurus Stealer
  Taurus is an infostealer first seen in June 2020.
  trojan stealer taurus_stealer
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- DiamondFox payload
  Detects DiamondFox payload in file/memory.
- Modifies boot configuration data using bcdedit
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Disables Task Manager via registry modification
  evasion
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Sets service image path in registry
  persistence
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Program crash
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4