General
-
Target
Epson.Easy.Photo.Print.2.2.6.0.keygen.zip
-
Size
5.2MB
-
Sample
210410-q9x2bewgl6
-
MD5
60d3e8ba2aae60384fbe4f42351aaf04
-
SHA1
649055d19cde2494de995450eb2a78b0ef072b4e
-
SHA256
f5ea6757b4197a0ddf0dfa4b0f50221710f7c8beca2731264d7f5201ae7356aa
-
SHA512
0e2101097c9bff3263f447eddeadbb54db1d331a1984baf6b7822577f62521a38588f90c93eb9dd1f64e427a8040b05c7d4972f1f67726033e1303bebc0107f3
Static task
static1
Behavioral task
behavioral1
Sample
Epson.Easy.Photo.Print.2.2.6.0.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Epson.Easy.Photo.Print.2.2.6.0.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Epson.Easy.Photo.Print.2.2.6.0.keygen.exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
Epson.Easy.Photo.Print.2.2.6.0.keygen.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Epson.Easy.Photo.Print.2.2.6.0.keygen.exe
Resource
win7v20201028
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
icedid
1925120085
Extracted
http://labsclub.com/welcome
Targets
-
-
Target
Epson.Easy.Photo.Print.2.2.6.0.keygen.exe
-
Size
5.3MB
-
MD5
f84c1b3e7dc1bddc891f3d72a7e03de4
-
SHA1
a923372e1ac2e442a5d6613c931e86e073a056c9
-
SHA256
274b542e5cf1be20e436450e1b0579c902e5f1665d3f7a9cb03871ba640c51e4
-
SHA512
bd23b8ac27c062aa1e643dd39375326ca0209a6b7753cc8fdc7a4b14a59fde8d0cefebfcc205c9567083fe4b008fabfcb4b41d9aa48f52514cd2341c24b2b48e
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Checks for common network interception software
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks for any installed AV software in registry
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1