General
-
Target
Wondershare.Dr.fone.For.5.5.0.key.generator.zip
-
Size
5.2MB
-
Sample
210409-yq5qmk97r6
-
MD5
aec7a06c1e8612953b5cb3cdfe24295b
-
SHA1
04836f0c641c38ef45aebffcb55b53a49caef563
-
SHA256
46fcf2a896a8e043e3acf3736819ec0f156bab3c79e8e745b172286e4bafcad1
-
SHA512
1e0d5c3470385a8aebce2aee9de83863374c36840d45f8c23aac591d71caf19f0309c266df8b4f630cafb20d22afadfe1ff62715d4b1f6b1ee3da1d04bb15202
Static task
static1
Behavioral task
behavioral1
Sample
Wondershare.Dr.fone.For.5.5.0.key.generator.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Wondershare.Dr.fone.For.5.5.0.key.generator.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Wondershare.Dr.fone.For.5.5.0.key.generator.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Wondershare.Dr.fone.For.5.5.0.key.generator.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Wondershare.Dr.fone.For.5.5.0.key.generator.exe
Resource
win7v20201028
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
zloader
googleaktualizacija
googleaktualizacija2
https://iqowijsdakm.com/gate.php
https://wiewjdmkfjn.com/gate.php
https://dksaoidiakjd.com/gate.php
https://iweuiqjdakjd.com/gate.php
https://yuidskadjna.com/gate.php
https://olksmadnbdj.com/gate.php
https://odsakmdfnbs.com/gate.php
https://odsakjmdnhsaj.com/gate.php
https://odjdnhsaj.com/gate.php
https://odoishsaj.com/gate.php
Targets
-
-
Target
Wondershare.Dr.fone.For.5.5.0.key.generator.exe
-
Size
5.3MB
-
MD5
ee3d202cf87ebeed275eb389dc9fb282
-
SHA1
77b43986b0a65383633fcc54d146bf994c308fec
-
SHA256
15c443dfde4c00737abf81a083011b52f9b7d96a73d6d52692c6de5cdab3afa5
-
SHA512
0a6e89a80e287ab0132938296f01654e99c16e63923f27bd5722c205564cd2e9adfca1325d271aab857526678a061e12cdc4882e37dfb6a695f33795d97417c0
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1