General
-
Target
S.A.D.Formatwandler.360.keygen.by.Lz0.zip
-
Size
4.6MB
-
Sample
210324-gwh5djt3v6
-
MD5
548fc0b26d42f7c0347b73605258b6a4
-
SHA1
41918818fb04c40ed244fa7f4e7e36adbe5ed75c
-
SHA256
eaa4a910b759dea9b5d99a276cdaf2923552dd3e3afb39196b0e1f64d361b1e8
-
SHA512
bb2b3b1de036b26c755a11d6fd3873d5eb02ff49ba720c45b9125e1695c3b833821d887521d98cdd51fbadc92963f0fbffde603cfee5d39fbe9ec16a915b8b4d
Static task
static1
Behavioral task
behavioral1
Sample
S.A.D.Formatwandler.360.keygen.by.Lz0.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
S.A.D.Formatwandler.360.keygen.by.Lz0.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
S.A.D.Formatwandler.360.keygen.by.Lz0.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
S.A.D.Formatwandler.360.keygen.by.Lz0.exe
Resource
win10v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
fickerstealer
lukkeze.club:80
Extracted
http://labsclub.com/welcome
Extracted
icedid
1319278762
213podellkk.website
Extracted
cryptbot
bazfr32.top
morwhy03.top
-
payload_url
http://akrvt04.top/download.php?file=lv.exe
Extracted
metasploit
windows/single_exec
Extracted
danabot
1765
3
192.161.48.5:443
23.106.123.117:443
192.236.146.203:443
193.34.167.88:443
-
embedded_hash
B2585F6479280F48B64C99F950BBF36D
Extracted
C:\_readme.txt
helpteam@mail.ch
helpmanager@airmail.cc
https://we.tl/t-WctYmhDIkl
Targets
-
-
Target
S.A.D.Formatwandler.360.keygen.by.Lz0.exe
-
Size
4.7MB
-
MD5
741e26b12183302aa98487e9b52680dc
-
SHA1
e06804bb7c5dfe25124cd19078052841e92d20be
-
SHA256
d4e5bc7e8ea150b4d8c2dba276f4edc5b1d8ac35249e96ceb97144f91c993972
-
SHA512
61c1023da43ecb97f41fa9330af3aecc25fab1ae64b9f1cbb638d468bfc4ffde19f577e86af81ad869e08ed56546d4369a8add5e7eb43c474e962bc4f498a59d
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CryptBot Payload
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
IcedID First Stage Loader
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Modifies boot configuration data using bcdedit
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Modifies Windows Firewall
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2Modify Registry
6Virtualization/Sandbox Evasion
2Impair Defenses
1Hidden Files and Directories
2File Permissions Modification
1Install Root Certificate
1