General
-
Target
Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.zip
-
Size
4.7MB
-
Sample
210402-ajs6t127cx
-
MD5
6f6c0e2a28407df884b774179447b486
-
SHA1
7c8b68d9b6113a887f17768d941d4ac7d2cccfea
-
SHA256
1c1676e9f150f9bcaef690dc9c7042930ee33678fb02b24fb649a320df0c5d16
-
SHA512
1f33c591b3b6a7b88c794795d63b998f4570b6b2b8a1718b48c29e80fd38a6aaa42b09bd2db7c573cc2bf23bb35d485a6ea89c8d7e6fddec8882845a0ba2f1ee
Static task
static1
Behavioral task
behavioral1
Sample
Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.exe
Resource
win7v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Targets
-
-
Target
Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.exe
-
Size
4.8MB
-
MD5
61e0e846e4a326fbe9f8cb873d644c6a
-
SHA1
a7fd6f5772d2a594972919743651c25309d7e622
-
SHA256
548af4c5f5e7897cca22f8f1629a06788d05c0ca9df90d4bc034a105ae5c875c
-
SHA512
2a064775995677be01ce0924431a8823dc767868ddf8a219cccf87af206f295868c7edb54e2304b84c9e50849438df5fa085081c1b5f277f3c405adbdeb5965c
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-