azorult

General

Target

Reimage_Pc_Repair_keygen_by_KeygenNinja.exe
Size

5.3MB
Sample

210411-3fqmg8y386
MD5

e3a4794401060fa47210b473285399d0
SHA1

ea14af2b4c7fa2c57654640e8084ccbac3b30914
SHA256

97557fd5c3cb5632347d4fcf97c38613c82c47452895616b910d92ed4aa80a94
SHA512

fb869fc24f4c5e99dcc7b19a9a832c6d7066d5d8d1c057fdfe41ebc80c29483bdb0d3c3d3a242740bf898dec9a5f89d03ce4650d8942bffc3731363b0e1596a1

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

icedid

Campaign

1925120085

Targets

- Target
  
  Reimage_Pc_Repair_keygen_by_KeygenNinja.exe
- Size
  
  5.3MB
- MD5
  
  e3a4794401060fa47210b473285399d0
- SHA1
  
  ea14af2b4c7fa2c57654640e8084ccbac3b30914
- SHA256
  
  97557fd5c3cb5632347d4fcf97c38613c82c47452895616b910d92ed4aa80a94
- SHA512
  
  fb869fc24f4c5e99dcc7b19a9a832c6d7066d5d8d1c057fdfe41ebc80c29483bdb0d3c3d3a242740bf898dec9a5f89d03ce4650d8942bffc3731363b0e1596a1
Score

10^/10

azorult icedid pony redline vidar 1925120085 banker discovery evasion infostealer persistence rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2