General
-
Target
Empire.earth.3.pre.order.crack.by.ViKiNG.zip
-
Size
5.2MB
-
Sample
210407-gfvdq7vtpe
-
MD5
28f53d63423cff088fb730f4ca196c73
-
SHA1
0dcd4c91bde870576f6b6cefe839bef525fa1dc8
-
SHA256
01915d1f29632fa4928865911660a709d27e05f5a468f48a8fb76c543c8a748e
-
SHA512
824d44eb1805d774a1274e6862f6db222c1316d8102111e51b97c33bd5000172fb8a98c9770af46539888c7c34065a6e56d44cad8ff421926dcf2005728a1a24
Static task
static1
Behavioral task
behavioral1
Sample
Empire.earth.3.pre.order.crack.by.ViKiNG.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Empire.earth.3.pre.order.crack.by.ViKiNG.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Empire.earth.3.pre.order.crack.by.ViKiNG.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Empire.earth.3.pre.order.crack.by.ViKiNG.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Empire.earth.3.pre.order.crack.by.ViKiNG.exe
Resource
win7v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
metasploit
windows/single_exec
Extracted
http://labsclub.com/welcome
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://perseus007.xyz/upload/
http://lambos1.xyz/upload/
http://cipluks.com/upload/
http://ragnar77.com/upload/
http://aslauk.com/upload/
http://qunersoo.xyz/upload /
http://hostunes.info/upload/
http://leonisdas.xyz/upload/
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Targets
-
-
Target
Empire.earth.3.pre.order.crack.by.ViKiNG.exe
-
Size
5.3MB
-
MD5
fef86776cd97277ffe77fbb8d0436aa6
-
SHA1
185625b595f070d32247e791619ae531cf8c3087
-
SHA256
637689fbd651eaa00e9f7be5c3d1718f2cc250f430dc4dfa20ec4e265d211dc7
-
SHA512
7299ef847fefa6c780291869930b06293ec86dba0e4a6f7ab8dd0948d059a99fd30d1594772299f7fa92796dcf7efbd48164b5738cf761c02974ed2612e91d78
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Hidden Files and Directories
1Defense Evasion
Impair Defenses
1Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1