azorult

Resubmissions

01-03-2021 05:01

210301-pb53xjck22 10

Sharing

Copy URL

Twitter E-mail

General

Target

Trojan.Killer.2.0.3.3.keygen.zip
Size

9.1MB
Sample

210301-pb53xjck22
MD5

640095595d664bd5fd694659f83a438c
SHA1

65d5fdaaf69b0e6bce7e41b862a6c9c236a864c5
SHA256

4ef0dd00905259bd6ff486919040cb5e1870d391889f40524bc61e0ac220cf20
SHA512

ead56e8f01a290e103d8d3d888c09bb32bade35dfe0e7326f5072396ea11dc2166270e19b8f6f2533a58f5677249ab25d979bfd970b1e807f9b5ab28b323edc3

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://4zavr.com/upload/

http://zynds.com/upload/

http://atvua.com/upload/

http://detse.net/upload/

http://dsdett.com/upload/

http://dtabasee.com/upload/

http://yeronogles.monster/upload/

rc4.i32

Extracted

Family

raccoon

Botnet

17694a35d42ac97e2cd3ebd196db01b372cce1b0

Attributes

url4cnc
https://telete.in/o23felk0s

rc4.plain

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Targets

- Target
  
  Trojan.Killer.2.0.3.3.keygen.exe
- Size
  
  9.2MB
- MD5
  
  86eb65e90d5fe99aec791a116b3c2dff
- SHA1
  
  4af4371843677deed5154abdb2f7082b1d09b4ea
- SHA256
  
  b7dedf916aba97deedb42dddaf30530e4c02c9b4556f4583100e088804e073e9
- SHA512
  
  789c39b7a57b772286f8e036691070ebfdb6305654c54ac11337441b35d4a71866013aa34163389237c0db0df6c55dc39d64ed3264fd9575a3efe78d6901a323
Score

10^/10

azorult bootkit discovery evasion infostealer macro persistence spyware trojan xlm glupteba metasploit raccoon redline smokeloader tofsee vidar xmrig 17694a35d42ac97e2cd3ebd196db01b372cce1b0 9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab agilenet backdoor dropper loader miner stealer pony rat plugx taurus_stealer upx
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Deletes Windows Defender Definitions
  Uses mpcmdrun utility to delete all AV definitions.
  evasion
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Taurus Stealer
  Taurus is an infostealer first seen in June 2020.
  trojan stealer taurus_stealer
- Tofsee
  Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
  trojan tofsee
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Modifies boot configuration data using bcdedit
- Nirsoft
- XMRig Miner Payload
  miner
- Creates new service(s)
  persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Possible attempt to disable PatchGuard
  Rootkits can use kernel patching to embed themselves in an operating system.
  evasion
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Modifies file permissions
  discovery
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Uses the VBS compiler for execution
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5