General

  • Target

    Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.zip

  • Size

    4.7MB

  • Sample

    210402-ajs6t127cx

  • MD5

    6f6c0e2a28407df884b774179447b486

  • SHA1

    7c8b68d9b6113a887f17768d941d4ac7d2cccfea

  • SHA256

    1c1676e9f150f9bcaef690dc9c7042930ee33678fb02b24fb649a320df0c5d16

  • SHA512

    1f33c591b3b6a7b88c794795d63b998f4570b6b2b8a1718b48c29e80fd38a6aaa42b09bd2db7c573cc2bf23bb35d485a6ea89c8d7e6fddec8882845a0ba2f1ee

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

    • Target

      Photozoom.Pro.5.5.0.2.v.5.0.2.serial.code.maker.exe

    • Size

      4.8MB

    • MD5

      61e0e846e4a326fbe9f8cb873d644c6a

    • SHA1

      a7fd6f5772d2a594972919743651c25309d7e622

    • SHA256

      548af4c5f5e7897cca22f8f1629a06788d05c0ca9df90d4bc034a105ae5c875c

    • SHA512

      2a064775995677be01ce0924431a8823dc767868ddf8a219cccf87af206f295868c7edb54e2304b84c9e50849438df5fa085081c1b5f277f3c405adbdeb5965c

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Taurus Stealer

      Taurus is an infostealer first seen in June 2020.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks