General
-
Target
Steinberg.Halion.Sonic.Se.Cont.crack.zip
-
Size
8.4MB
-
Sample
210305-3wwrv628ee
-
MD5
cc30470aee2858974f1d1a8611872654
-
SHA1
62388524c2ea03cad6d6775e06cce0bcec3b3a9a
-
SHA256
fdf42ada81b030bf1b4e39a8414169c477d0ec91324d4d3266dbc1add426f51d
-
SHA512
bff495e8a2580be5e5f117c3f2ca4a7383a36dbf55a453f0f3a6b5cb1d618bd490f865bd4021ebaeed98fadf0181c93a49e1e1ea72de3fcd730d356b13363aff
Static task
static1
Behavioral task
behavioral1
Sample
Steinberg.Halion.Sonic.Se.Cont.crack.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Steinberg.Halion.Sonic.Se.Cont.crack.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Steinberg.Halion.Sonic.Se.Cont.crack.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Steinberg.Halion.Sonic.Se.Cont.crack.exe
Resource
win10v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
http://labsclub.com/welcome
Extracted
metasploit
windows/single_exec
Extracted
raccoon
51c194bfb6e404af0e5ff0b93b443907a6a845b1
-
url4cnc
https://telete.in/h_focus_1
Targets
-
-
Target
Steinberg.Halion.Sonic.Se.Cont.crack.exe
-
Size
8.6MB
-
MD5
b032b8a583084f2c43fdda1c90f7904d
-
SHA1
6707fe0c05a92828ecb5490eeabead91117837d8
-
SHA256
b774f77c10d9b8b9d33bdcc929f29c75c35dbe97426cc9fef01206072c6b805f
-
SHA512
482de32f4ee7834a2abb1c9ac7e7c0e4ed5145e2c0433de758f73b5f829d73b6b0f0cc9572e2584d6f9f72e992c4ce25da8f914340e4b58ebde8652074a03975
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
ElysiumStealer Payload
-
ElysiumStealer Support DLL
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies boot configuration data using bcdedit
-
Nirsoft
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Bootkit
1Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
5Impair Defenses
1Install Root Certificate
1