General
-
Target
Agilent.Logic.Analyzer.04.00.1.crack.by.ACME.zip
-
Size
5.2MB
-
Sample
210408-r1ts43jqe6
-
MD5
63faba92450659af0fccc96bc12c239f
-
SHA1
c5bad33d23d059f6b13c332a4cadc457a32607fe
-
SHA256
0141de4c48080759e1ca848c27295e49b0c1ac5585c859660fbb65b33cf21eb1
-
SHA512
f442122563d76165a39f56f62ffc05a4dc152b621b3c63781fcb9f5d791ae6ea72b0426acb1c8e2f8b405300891e9a5162faaae77bbf0e9e4855fac349eedd20
Static task
static1
Behavioral task
behavioral1
Sample
Agilent.Logic.Analyzer.04.00.1.crack.by.ACME.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Agilent.Logic.Analyzer.04.00.1.crack.by.ACME.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Agilent.Logic.Analyzer.04.00.1.crack.by.ACME.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Agilent.Logic.Analyzer.04.00.1.crack.by.ACME.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Agilent.Logic.Analyzer.04.00.1.crack.by.ACME.exe
Resource
win7v20201028
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
icedid
1709620451
Targets
-
-
Target
Agilent.Logic.Analyzer.04.00.1.crack.by.ACME.exe
-
Size
5.3MB
-
MD5
769d924ea445995a6984c5e2da6183a2
-
SHA1
63f5d85c2e77282be728fd9ed210c033c4355497
-
SHA256
36837b0f516aae9ff27c8f1949e221445d7c7d4c26118adfdb1aa073a9d5562f
-
SHA512
3162b23f8d9b2402ce294348bd008214f522d9952408b6f3e84c025788b377ce73ee302b4d5ce5a02f940f43f567401b8c160dc990bd410abf7f45b17d3e8c37
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Hidden Files and Directories
1Defense Evasion
Disabling Security Tools
2Modify Registry
5Impair Defenses
1File Permissions Modification
1Install Root Certificate
1Hidden Files and Directories
1