General
-
Target
Office.2003.professional.tr.keygen.by.cat.zip
-
Size
5.1MB
-
Sample
210404-mp1c5f97fn
-
MD5
2a49bb9ff550ea6504ccf3052a8629a5
-
SHA1
5fa8d1a9db712cfdd5dfec1bc81ecbb892a20e12
-
SHA256
0fe5e0f1c632d46718d1e0fc0bc8e94b4f56b79fcbed4f753def51bc39a42717
-
SHA512
68bc5ea1e0b0e5bb5ac1f81a53f02ec7d0ff00f5fdb42d9e51a444e0d27433e6b5d4ff274065d51f8aba3786d053b689bd0c89d81a84ec33e3043a54fd0d54fc
Static task
static1
Behavioral task
behavioral1
Sample
Office.2003.professional.tr.keygen.by.cat.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Office.2003.professional.tr.keygen.by.cat.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Office.2003.professional.tr.keygen.by.cat.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Office.2003.professional.tr.keygen.by.cat.exe
Resource
win10v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
redline
3allsup
jbeaef.tk:80
Extracted
redline
Alllsupp_0402
80.85.154.104:10762
Extracted
http://labsclub.com/welcome
Extracted
metasploit
windows/single_exec
Extracted
redline
new1
rlmushahel.xyz:80
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Extracted
redline
neisteri
194.147.142.46:19250
Extracted
redline
Kolokol
pokacienon.xyz:80
Extracted
raccoon
9420f36ff86e78bbb8ce4073fa910f921ce2bebf
-
url4cnc
https://tttttt.me/hobamantfr1
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Extracted
redline
@big_tastyyy
dylarache.site:80
Extracted
redline
mixBot
185.251.25.229:3732
Extracted
redline
1
135.181.245.81:7771
Extracted
icedid
2412332838
gaaga923.website
Targets
-
-
Target
Office.2003.professional.tr.keygen.by.cat.exe
-
Size
5.2MB
-
MD5
b7c8c806f8f769038ea96e07c97a58b2
-
SHA1
2262ca02ed96027ad6eade9c2f767fafaa14765f
-
SHA256
1d09cc68f7b5bc9ea50661b71029ab1470056a075914538357599a335e791f4c
-
SHA512
3da11884f425ae534549658ceb3543c3609cd2fa5f4f3a7bd4465a0435c5932623761fb87b6eb14816b58bb85ba42441d8991af7b4afad71b3bfe59ecb918053
Score10/10azorultxmriginfostealerminertrojandcratredlinetaurus3allsupalllsupp_0402discoveryevasionpersistenceratspywarestealergluptebametasploitnetsupportraccoonsmokeloadervidar19420f36ff86e78bbb8ce4073fa910f921ce2bebf@big_tastyyyafefd33a49c7cbd55d417545269920f24c85aa37kolokolmixbotneisterinew1backdoordropperloadericedid2412332838bankerpony-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Taurus Stealer Payload
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
IcedID First Stage Loader
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1