azorult

General

Target

Pindersoft.ASL.Logbook.1.2.keygen.by.ACME.zip
Size

5.4MB
Sample

210526-erlw6zl54s
MD5

3f9b71186b12eb07f0a03dee793acc94
SHA1

e1f8d9a1c94f78f02160cc30a04672f224bc2254
SHA256

0cb3f1f50cc20bed39529127ff53820b3becc3a97dadc934d38ff4ea15189162
SHA512

28191da8e54ffb2f2a23d43f5a6d1a355504f6fa423ccd91484f0997330a4523cf3e1e93befd3a62942c1836b6da8415500c8d11e8d3d20f98b185d23b24608c

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

e0aa5b6d2491c503baf06d4cfeb218de1cd41474

Attributes

url4cnc
https://tttttt.me/hbackwoods1

rc4.plain

Targets

- Target
  
  Pindersoft.ASL.Logbook.1.2.keygen.by.ACME.exe
- Size
  
  5.6MB
- MD5
  
  3b15a5ba0c59d8dca729df14f9c47f9f
- SHA1
  
  391298185efc7730aed2b3d5047baa6d661a327c
- SHA256
  
  e43cd9cbc1433581660f7d364b4d9f8040f21f8ff43476f274b31cedf7029adc
- SHA512
  
  3452026cecccc3baa04e49e279efffd13080fbe6ed1d0e9c0c0ee25f898c56c0b6f5ae6cf3f38486768bf6949cd779402d3ff7b2f11332252593a1a4d9721c98
Score

10^/10

azorult plugx pony discovery evasion infostealer persistence rat spyware stealer trojan upx vmprotect raccoon xmrig e0aa5b6d2491c503baf06d4cfeb218de1cd41474 miner
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- PlugX
  PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
  trojan plugx
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner Payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4 behavioral5 behavioral6 behavioral7