General
-
Target
Matrix.Mania.v1.0.keygen.by.F4CG.zip
-
Size
4.8MB
-
Sample
210322-mw7cd3636x
-
MD5
db22e1b52280dd49bd9d7c1e5fa3cb5b
-
SHA1
ff16c058ebd316cd07c5c96fd9d3b38dcb5120bb
-
SHA256
4efdd501315d0f4285ba79990795699c723d317c8b96baf4aa8c733740af581e
-
SHA512
6aa385087f74bf52630fcb00d345e6ec54fcd8df8df8d4491975f68c45ae7c8530bd28eef03d8a871db8d2fdc1ce5800af2d290d12ee25ac91af8c645f54c3b8
Static task
static1
Behavioral task
behavioral1
Sample
Matrix.Mania.v1.0.keygen.by.F4CG.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Matrix.Mania.v1.0.keygen.by.F4CG.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Matrix.Mania.v1.0.keygen.by.F4CG.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Matrix.Mania.v1.0.keygen.by.F4CG.exe
Resource
win10v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
raccoon
c46f13f8aadc028907d65c627fd9163161661f6c
-
url4cnc
https://telete.in/capibar
Extracted
cryptbot
basfs12.top
mormsd01.top
-
payload_url
http://akmes01.top/download.php?file=lv.exe
Extracted
icedid
1336056381
fsikiolker.uno
Extracted
raccoon
2ce901d964b370c5ccda7e4d68354ba040db8218
-
url4cnc
https://telete.in/tomarsjsmith3
Extracted
http://labsclub.com/welcome
Extracted
redline
juner
juneraindrops.top:80
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Extracted
redline
YOUTUBE
86.106.181.42:40355
Extracted
raccoon
4cf8f1742257432e5aeb0584d86efec687d3e60c
-
url4cnc
https://tttttt.me/jrrand0mer
Extracted
redline
USA TOP EU
ichynkara.xyz:80
Extracted
redline
proliv-tir1
45.142.215.168:3214
Extracted
redline
Adan Tylor
ichynkara.xyz:80
Targets
-
-
Target
Matrix.Mania.v1.0.keygen.by.F4CG.exe
-
Size
4.9MB
-
MD5
f8a019ea2f8ec7d02d13db13f41ee2f0
-
SHA1
7d2af8c0cd052c047cf912a6260c94291163d993
-
SHA256
c6558915a33cfd6439e701825d2b563e90042b448bfd46e13c1051ccc66c8816
-
SHA512
b69945e01f5a3372febe4467c2adc7a95b34b86328cf7b4dc46ed0ec2ae88ac986f6615a56ffcf40160fed08fb40f839d6b3b14d5815ecf1e5637fec154ccc4d
Score10/10azorultcryptboticedidraccoon2ce901d964b370c5ccda7e4d68354ba040db8218c46f13f8aadc028907d65c627fd9163161661f6c1336056381bankerinfostealerloaderspywarestealertrojanredlinesmokeloadervidarxmrig4cf8f1742257432e5aeb0584d86efec687d3e60cjuneryoutubebackdoordiscoveryevasionminerpersistenceponyadan tylorproliv-tir1usa top euratelysiumstealeradware-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CryptBot Payload
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Registers COM server for autorun
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
IcedID First Stage Loader
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Browser Extensions
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
3Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Hidden Files and Directories
2Install Root Certificate
1Modify Registry
5Virtualization/Sandbox Evasion
2Web Service
1