Overview

overview

10

Static

static

ฺฺฺB...��ฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

ฺฺฺ�...

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...��ฺ7

windows7_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Microsoft_Windows_10_keygen_by_KeygenNinja.zip.zip

  • Size

    10.5MB

  • Sample

    210318-pxjvflvvmx

  • MD5

    5439d07f1a851c9a592e16eaa9ce5f60

  • SHA1

    6c09d14ce12e1bd61f24467a059167eb74cba639

  • SHA256

    e772ef11131412c53d06e2aa43a4a7580b390b73dcca65344aa9db3585ad079d

  • SHA512

    40bba06f1701ad0fa58111f56856733da436c28ce35bda96bcf4c22b8f199c2bcd119712fe9b51357a96b744a042987504092ae1282c098fa3c3ecfe304033d2

Score
10/10
azorultplugxponybootkitdiscoveryevasioninfostealermacropersistenceratspywarestealertrojanupxxlm

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

    • Target

      Microsoft_Windows_10_keygen_by_KeygenNinja.exe

    • Size

      10.6MB

    • MD5

      f986b0da579828fa492041a33862a74d

    • SHA1

      79ce5993da004a0a96609b9f025befb7bf391009

    • SHA256

      df7a1a5d4e81f076198ed56b9bae34bf8f907e300d22cd8681f910472609422e

    • SHA512

      6148127921cbe28135e002f6d0f72f717ffcf980cfd8faaea1d73a813123884a996526925cf05fefb288810b8cfd9065ed618ac98ab2b5d63bd637ce55fbf519

    Score
    10/10
    azorultponybootkitdiscoveryevasioninfostealermacropersistenceratspywarestealertrojanxlmplugxupx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • PlugX

      PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

      trojanplugx

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Nirsoft

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with 4.0 macros.

      macroxlm

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v6

Tasks