Acon_Digital_Restoration_Suite_keygen.zip

General
Target

Acon_Digital_Restoration_Suite_keygen.zip

Size

6MB

Sample

210420-539kewqgmn

Score
10 /10
MD5

1b9130e96a78db8f59708d8646de2d6a

SHA1

297973cfd741de48b5987e8b3f863c3611b01a22

SHA256

d474d3e884d1863092da82fde472d9d8348900bb5d84b16d0037a983e6cf2f92

SHA512

2aacb52d62c820414a1dcd6a0f8d34fba0194b61d746579e63a362c16b04e61492cd7426f525ca6299a048b19df2868ebf077dce4c01ec4982913e2242abcd07

Malware Config

Extracted

Family azorult
C2

http://kvaka.li/1210776429.php

Targets
Target

Acon_Digital_Restoration_Suite_keygen.exe

MD5

7395e90be7985776e946f8f1fa0723e1

Filesize

6MB

Score
10 /10
SHA1

a82f46ee80485f1bd99227da233f8f4d0927c1da

SHA256

d5c8c3542fd640892e2632ca58e085608fc3b05347cc5ef84743574f3287c165

SHA512

d1402088fd20f8d6e3ccbbd1f9e50cd3f7014657bdd005b35a0f018e8e80a6ed60105c80c9ec0f703a06981ed5bab006231c478161ff8b225513cac0b2739a00

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • DcRat

    Description

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    Tags

  • Pony,Fareit

    Description

    Pony is a Remote Access Trojan application that steals information.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

  • Blocklisted process makes network request

  • Executes dropped EXE

  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  • Suspicious use of NtCreateThreadExHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation