General
-
Target
Clone.Dvd.2.9.1.0.keygen.zip
-
Size
4.7MB
-
Sample
210326-m7wgch9ghn
-
MD5
900a87d0d40540c7e696fd33588e9958
-
SHA1
524eb612402d9e93144d985b6c246e89c7f9905c
-
SHA256
1d8b80677ca7dfc091296e422721910401ea5d3b63fe3892580b5c4d6579be6f
-
SHA512
c22ab6e799ea6801136e0c338aa68ba15f750234949e7118cafe09e48f3b42ca1d7d7529a81156cc5d49199f4258074a6d5e894df2a16a4537ba5d7e70607439
Static task
static1
Behavioral task
behavioral1
Sample
Clone.Dvd.2.9.1.0.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Clone.Dvd.2.9.1.0.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Clone.Dvd.2.9.1.0.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Clone.Dvd.2.9.1.0.keygen.exe
Resource
win10v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
redline
19test200
erherst.tk:80
Extracted
redline
newone
91.214.124.106:80
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Extracted
http://labsclub.com/welcome
Extracted
icedid
shturmann.space
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
dd478ff8ed48e4864892644c2a5502e502f6869c
-
url4cnc
https://telete.in/iodmarius
Extracted
redline
BANK SHALLON
86.106.181.231:3214
Extracted
redline
9898
86.106.181.42:40355
Targets
-
-
Target
Clone.Dvd.2.9.1.0.keygen.exe
-
Size
4.8MB
-
MD5
98e0552e7c661d3f84c5ca691bb58b60
-
SHA1
f8747cbd9256e9587e45b1feeded6b082b098e5d
-
SHA256
23e30d6f1d505e6a0cf1672ec7420d28af81975a9832f1af2eae8a3233a09eb4
-
SHA512
d767b09e6d24ce96ce95e7cbcb248b93373f7dcbad3a96ba249a3c54df9511567c4ff2bfd8393492a0f90ae8bf5ab37c1cf71f75092ad81dde7a7a7a5f7e76da
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
IcedID First Stage Loader
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
File Permissions Modification
1Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1