azorult

General

Target

Digital_Film_Tools_Dft_serial_keys_gen_by_aaocg.zip
Size

5.2MB
Sample

210416-rwpr56phpa
MD5

66f0d00a0a8fe2eab0f48ddf351ff325
SHA1

e4e535d0f185d85a89dfa4644dc622dcc26aa122
SHA256

19a0a53ce48105a5123bd6ced9cf8597175e2cffa017a7120389983e3a5318c1
SHA512

710fc4b8f26e0113c45bd658ce3885a38b2ebf499887302fe7d90509ab1362d4af0cab61d7b016cadc9222f98af8162be58a3286c3e9f87efb8750ea136f8512

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

- Target
  
  Digital_Film_Tools_Dft_serial_keys_gen_by_aaocg.exe
- Size
  
  5.3MB
- MD5
  
  6d94d960c6655cffc9063f21ac90b766
- SHA1
  
  170b057b6052dad745be5ed73f6004d4d8b7e55e
- SHA256
  
  6e088c35e62266c3504d79e2b13a9e5a96a2d2ea5387224a615ad252e10be311
- SHA512
  
  ac3ffc022181fb4288e42b1dc2f2bbd5f36eabe4605fd07bdb6266113db88ca7c008b8ab8ce4bf980bc756a2fe3d14fc5597da362139b71d0fb1109f40886ddb
Score

10^/10

azorult dcrat xmrig discovery evasion infostealer miner persistence rat spyware stealer trojan upx pony redline facebook phishing
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Detected facebook phishing page
  phishing facebook
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5