General
-
Target
Eye.Candy.5.Impact.keygen.by.TSRh.zip
-
Size
4.3MB
-
Sample
210312-6lrk7mekya
-
MD5
396108630bcb212c3f8c03319dbba872
-
SHA1
1d8f30ceec7a05719b75a5c96e6ae8a4362a2495
-
SHA256
bcd8bfa41862a860df3c1ef25e7ff66476948059dcab743707fd16e356f50155
-
SHA512
d94822ffb1e55e9064df2ab7feeedd326833886f77042c8a44a1f185dddb9854195d225e3caa9ed8af39f9a1fa4c964eb05eed8e207a3a1dddc782809109c8fd
Static task
static1
Behavioral task
behavioral1
Sample
Eye.Candy.5.Impact.keygen.by.TSRh.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Eye.Candy.5.Impact.keygen.by.TSRh.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Eye.Candy.5.Impact.keygen.by.TSRh.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Eye.Candy.5.Impact.keygen.by.TSRh.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Eye.Candy.5.Impact.keygen.by.TSRh.exe
Resource
win7v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
fickerstealer
deniedfight.com:80
Extracted
icedid
3643571430
klicjop9.fun
Extracted
http://labsclub.com/welcome
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
metasploit
windows/single_exec
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Extracted
redline
halthivan.xyz:80
45.67.231.194:3214
Extracted
redline
jason
185.170.213.198:3214
Extracted
redline
1
45.84.0.184:40355
Extracted
redline
USA_NEW
86.107.197.8:40355
Extracted
redline
BANK F
86.105.252.222:3214
Targets
-
-
Target
Eye.Candy.5.Impact.keygen.by.TSRh.exe
-
Size
4.4MB
-
MD5
21052da5f7b3c5ed1766d5a4c240128a
-
SHA1
ded93c3fe86cdb94b1622526f19c55d231653bc2
-
SHA256
cd9a7a53a7e4371700d3c18e1a45dcd5d719c6cd8c796c5e9ea8a155618010d3
-
SHA512
d856d299a205a8435b05cffb9ca489b89b211e67e7ba91ed97a72b38cfde2e0753b7c8fc9a39f5b8e4981d76cd14d0864c410f75722ec66a532e682c717284ef
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
IcedID First Stage Loader
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
6Virtualization/Sandbox Evasion
2Impair Defenses
1Install Root Certificate
1