Digital_Film_Tools_Dft_serial_keys_gen_by_aaocg.zip

General
Target

Digital_Film_Tools_Dft_serial_keys_gen_by_aaocg.zip

Size

5MB

Sample

210416-rwpr56phpa

Score
10 /10
MD5

66f0d00a0a8fe2eab0f48ddf351ff325

SHA1

e4e535d0f185d85a89dfa4644dc622dcc26aa122

SHA256

19a0a53ce48105a5123bd6ced9cf8597175e2cffa017a7120389983e3a5318c1

SHA512

710fc4b8f26e0113c45bd658ce3885a38b2ebf499887302fe7d90509ab1362d4af0cab61d7b016cadc9222f98af8162be58a3286c3e9f87efb8750ea136f8512

Malware Config

Extracted

Family azorult
C2

http://kvaka.li/1210776429.php

Targets
Target

Digital_Film_Tools_Dft_serial_keys_gen_by_aaocg.exe

MD5

6d94d960c6655cffc9063f21ac90b766

Filesize

5MB

Score
10 /10
SHA1

170b057b6052dad745be5ed73f6004d4d8b7e55e

SHA256

6e088c35e62266c3504d79e2b13a9e5a96a2d2ea5387224a615ad252e10be311

SHA512

ac3ffc022181fb4288e42b1dc2f2bbd5f36eabe4605fd07bdb6266113db88ca7c008b8ab8ce4bf980bc756a2fe3d14fc5597da362139b71d0fb1109f40886ddb

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • Contains code to disable Windows Defender

    Description

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • DcRat

    Description

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    Tags

  • Detected facebook phishing page

  • Pony,Fareit

    Description

    Pony is a Remote Access Trojan application that steals information.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Drops desktop.ini file(s)

  • Enumerates connected drives

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation