General
-
Target
Malwarebytes.1.51.2.1300.dat.keygen.exe
-
Size
4.9MB
-
Sample
210320-ecqfknf6kn
-
MD5
6ec6061139ce3258bf85c06faeac465d
-
SHA1
4d7121c979e8a29e33782e65ade97f64d5ae3059
-
SHA256
064411322a8199fe1e2a08ca64f5f06240b2489c1177334e6896e8b469536d3a
-
SHA512
f4457fb35573a7debdb2fe13c9fa8da2449020e794553f68971b842aa702a6fb3780539c39d47e4ed0933ab6fe64cea9c2b46e96e0079baf0f78181f835b3815
Static task
static1
Behavioral task
behavioral1
Sample
Malwarebytes.1.51.2.1300.dat.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Malwarebytes.1.51.2.1300.dat.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Malwarebytes.1.51.2.1300.dat.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Malwarebytes.1.51.2.1300.dat.keygen.exe
Resource
win7v20201028
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
raccoon
dfa7b4d385486b737f84d608857eb43733ffd299
-
url4cnc
https://telete.in/j9ca1pel
Extracted
metasploit
windows/single_exec
Extracted
dridex
10111
188.165.17.91:8443
81.0.236.90:6601
Targets
-
-
Target
Malwarebytes.1.51.2.1300.dat.keygen.exe
-
Size
4.9MB
-
MD5
6ec6061139ce3258bf85c06faeac465d
-
SHA1
4d7121c979e8a29e33782e65ade97f64d5ae3059
-
SHA256
064411322a8199fe1e2a08ca64f5f06240b2489c1177334e6896e8b469536d3a
-
SHA512
f4457fb35573a7debdb2fe13c9fa8da2449020e794553f68971b842aa702a6fb3780539c39d47e4ed0933ab6fe64cea9c2b46e96e0079baf0f78181f835b3815
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
6Virtualization/Sandbox Evasion
2Impair Defenses
1Install Root Certificate
1