General
-
Target
ABBBY.Fine.Reader.8.XA.keygen.by.DBC.zip
-
Size
5.1MB
-
Sample
210325-7bz9tdl556
-
MD5
dfe2525c9b22b2264525e5917ee0cc54
-
SHA1
b3c83e9ea9c87b1df080c1e30ffbf802887abcef
-
SHA256
ad5d1feea7984083745f0dc046efab6b77fb46cfc663b595c2180dea1e877062
-
SHA512
28b8708b223f7730405a59d6cfd9420b8d002ca04c9aa8b7f34d62732ef4f886929fd9838b0e5eba021852c6c23b95977b9b7afc44498efa609725f4c2b7daf1
Static task
static1
Behavioral task
behavioral1
Sample
ABBBY.Fine.Reader.8.XA.keygen.by.DBC.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
ABBBY.Fine.Reader.8.XA.keygen.by.DBC.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
ABBBY.Fine.Reader.8.XA.keygen.by.DBC.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
ABBBY.Fine.Reader.8.XA.keygen.by.DBC.exe
Resource
win10v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
raccoon
dfa7b4d385486b737f84d608857eb43733ffd299
-
url4cnc
https://telete.in/j9ca1pel
Extracted
fickerstealer
deniedfight.com:80
lukkeze.space:80
Extracted
http://labsclub.com/welcome
Extracted
icedid
1235390667
petelbomber.xyz
Extracted
redline
shop
shopstyle3.top:80
Extracted
cryptbot
baqsw42.top
morryv04.top
-
payload_url
http://aktyd05.top/download.php?file=lv.exe
Targets
-
-
Target
ABBBY.Fine.Reader.8.XA.keygen.by.DBC.exe
-
Size
5.2MB
-
MD5
04f817093896aee3f7cf5753f04c6f18
-
SHA1
72ee312e137a466581c51cd93970f415d62a07e9
-
SHA256
1d4b2e0042e7508c201ac83f1deb2f1a96836774afabb3e28fb766348b5008db
-
SHA512
3e46cb980868b5e66f1711c2c50f12763697c6167527e7ac790b91a3dd93cedc7c43b94c6f1adbc01949baf02b27de9802be303fdf4a0e63ab91869f3b924d2a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
CryptBot Payload
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
IcedID First Stage Loader
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Virtualization/Sandbox Evasion
2Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1