azorult

General

Target

Acdsee.Photo.Editor.2008.5.0.2.keygen.exe
Size

5.3MB
Sample

210411-zmme5bbpqn
MD5

e47fbf01abb58c3f1803bfe31ba5f527
SHA1

77da2f2ad4c5ec5d4b32ee46dc6f726e5e131c00
SHA256

7eb17e438d59bba843cbedd3bfb2e421af4aa0d752d1ca1de7aff52c309af1be
SHA512

e5e763106e6d0d3dc482bc08013bc918d6b142a293449dfc3be33c37348c6040e60c06b1489dcedfa01f0880e29a4140a4558dc14d78437b5b2775bd6e3c4af4

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://labsclub.com/welcome

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

icedid

Campaign

1925120085

Targets

- Target
  
  Acdsee.Photo.Editor.2008.5.0.2.keygen.exe
- Size
  
  5.3MB
- MD5
  
  e47fbf01abb58c3f1803bfe31ba5f527
- SHA1
  
  77da2f2ad4c5ec5d4b32ee46dc6f726e5e131c00
- SHA256
  
  7eb17e438d59bba843cbedd3bfb2e421af4aa0d752d1ca1de7aff52c309af1be
- SHA512
  
  e5e763106e6d0d3dc482bc08013bc918d6b142a293449dfc3be33c37348c6040e60c06b1489dcedfa01f0880e29a4140a4558dc14d78437b5b2775bd6e3c4af4
Score

10^/10

azorult icedid pony redline vidar 1925120085 banker discovery evasion infostealer persistence rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- IcedID, BokBot
  IcedID is a banking trojan capable of stealing credentials.
  trojan banker icedid
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2