azorult

Sharing

Copy URL

Twitter E-mail

General

Target

Windows_10_Pro_x64_Includes_keygen_by_KeygenNinja.zip
Size

8.1MB
Sample

210309-cqrfljh4x6
MD5

3f8a12a936a0efc4b5d48ebc9f86ee8e
SHA1

6ffefa1d062244fd77e88f2d86b0918b423da081
SHA256

1380a245c4e47be73dfdb1c2e4b11bdc3b2bb5963bd8674f190f725bbedd550a
SHA512

1ccffdac665150f90f386fdf5438c3f994d20c2149ac1dcc62884dd44cb9b3bc4fc5de7e56ca7209bd3b02664d2a4fa2e7e4fe06c9e8f6a98d0f3eec43c7c437

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

51c194bfb6e404af0e5ff0b93b443907a6a845b1

Attributes

url4cnc
https://telete.in/h_focus_1

rc4.plain

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2019

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

afefd33a49c7cbd55d417545269920f24c85aa37

Attributes

url4cnc
https://telete.in/jagressor_kz

rc4.plain

Extracted

Family

raccoon

Botnet

e71b51d358b75fe1407b56bf2284e3fac50c860f

Attributes

url4cnc
https://telete.in/oidmrwednesday

rc4.plain

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Targets

- Target
  
  Windows_10_Pro_x64_Includes_keygen_by_KeygenNinja.exe
- Size
  
  8.2MB
- MD5
  
  456c5963a08824d34303db846ff8bf14
- SHA1
  
  c03e0c681008417923c0280a204fe7b54087154b
- SHA256
  
  413b1728b45d73f2d18d016edf377a461d58eec8bb662825713666d696cd3cdf
- SHA512
  
  6a14d4d6e57964f4fa79787c0badbac4773587874871f2095e01dcf3ab091d78a4892a63b6a74de5363d6e9a80865e4a984d63fe4f8c762b58de1193493754c8
Score

10^/10

azorult redline bootkit discovery evasion infostealer macro persistence spyware trojan xlm glupteba metasploit plugx raccoon smokeloader vidar 51c194bfb6e404af0e5ff0b93b443907a6a845b1 afefd33a49c7cbd55d417545269920f24c85aa37 e71b51d358b75fe1407b56bf2284e3fac50c860f backdoor dropper loader stealer pony rat
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Nirsoft
- Executes dropped EXE
- Looks for VMWare Tools registry key
  evasion
- Modifies Windows Firewall
  evasion
- Suspicious Office macro
  Office document equipped with 4.0 macros.
  macro xlm
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5