azorult

Sharing

Copy URL

Twitter E-mail

General

Target

Demian007.Image.Line.Fl.Studio.key.code.generator.by.DBC.zip
Size

5.1MB
Sample

210404-9zk6e231aj
MD5

aaf43589827acdc93889d97ac1ccd5a2
SHA1

49cf3ab8b127f4bee35d641a381aa65b2986a655
SHA256

a862a474fd91877d1acd16b5786d12f81223108e519b0cc21f37ea6bbd8e49fd
SHA512

844f2cdb736b8f60e92d368c753df3866defaa7258fc5d2cd057514558059abd86325f513de87223c86c3266abbbed06e1706e8f59825fd9a2e5612aaa69c3ec

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Extracted

Family

raccoon

Botnet

9420f36ff86e78bbb8ce4073fa910f921ce2bebf

Attributes

url4cnc
https://tttttt.me/hobamantfr1

rc4.plain

Extracted

Family

dridex

Botnet

10111

210.65.244.183:8443

216.10.251.121:6601

rc4.plain

Targets

- Target
  
  Demian007.Image.Line.Fl.Studio.key.code.generator.by.DBC.exe
- Size
  
  5.2MB
- MD5
  
  c9d0760f5504d9e8ce237543fc4e7562
- SHA1
  
  12dac9b23d9f95b9647767e15a265a73380ad50b
- SHA256
  
  2519f6e84956fd35aaf7aa0ac51c2ce4cd8fddc973933936560ddb1efff6a16f
- SHA512
  
  28e06d8763858601484ec3675b5d0895712b616d69b36d4c584f32dfb56dfe9a7c26ad05dfda27efc2e9512c11d7dedcafd4d69d98baffdda8eb5af9ba99398a
Score

10^/10

azorult infostealer trojan glupteba metasploit netsupport raccoon smokeloader vidar xmrig 9420f36ff86e78bbb8ce4073fa910f921ce2bebf backdoor dropper loader miner rat stealer dcrat discovery evasion persistence spyware upx dridex pony taurus_stealer 10111 botnet
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dridex
  Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
  botnet dridex
- Glupteba
  Glupteba is a modular loader written in Golang with various components.
  loader dropper glupteba
- Glupteba Payload
- MetaSploit
  Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
  trojan backdoor metasploit
- NetSupport
  NetSupport is a remote access tool sold as a legitimate system administration software.
  rat netsupport
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Taurus Stealer
  Taurus is an infostealer first seen in June 2020.
  trojan stealer taurus_stealer
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Dridex Loader
  Detects Dridex both x86 and x64 loader in memory.
  botnet loader
- XMRig Miner Payload
  miner
- Blocklisted process makes network request
- Drops file in Drivers directory
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Targets

DcRat

Dridex

Glupteba

Glupteba Payload

MetaSploit

NetSupport

Pony,Fareit

Raccoon

SmokeLoader

Suspicious use of NtCreateProcessExOtherParentProcess

Suspicious use of NtCreateUserProcessOtherParentProcess

Taurus Stealer

Vidar

xmrig

Checks for common network interception software

Dridex Loader

XMRig Miner Payload

Blocklisted process makes network request

Drops file in Drivers directory

Executes dropped EXE

UPX packed file

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks for any installed AV software in registry

Checks installed software on the system

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Maps connected drives based on registry

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5