azorult

General

Target

Hauptwerk.4.2.1.3.serial.number.keygen.by.ViKiNG.zip
Size

5.8MB
Sample

210625-9b1pbtwpe2
MD5

bb57769950bd7694aba7b72af9c292df
SHA1

5b27428d11e4a1580aae301ee0128b3fb432a35a
SHA256

fe2817cd0bef61ba91b731ec3f0ffab0181de7df14d7e5d773f98d55c4c8c2a5
SHA512

7131637064d859be058dde91d0c7464bb276b07ff5d35ce8de013ee0af196e7ba37f764d871855e1770e0ad96307895ff701f5cea9a3e2a2a2a493b0fcc953d9

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

e0aa5b6d2491c503baf06d4cfeb218de1cd41474

Attributes

url4cnc
https://tttttt.me/hbackwoods1

rc4.plain

Targets

- Target
  
  Hauptwerk.4.2.1.3.serial.number.keygen.by.ViKiNG.exe
- Size
  
  5.9MB
- MD5
  
  180bab993b44225ee2d9c3e5ec4026d9
- SHA1
  
  22ef56516424f3b7ab61d33debd89e88e18fec31
- SHA256
  
  7b7881920337294d9d9b464fdfd182b2c522bf4596dce1b65ba2a2ce7d5edc38
- SHA512
  
  e1632ffcc388a66b1f5c560e772117b5697ad9f1de3c1d32f7743dfe23fb3471b9b53d78520ab4a72ad9d1decf06569520c960a160585f4e3586a0e83aff22fe
Score

10^/10

azorult pony raccoon xmrig e0aa5b6d2491c503baf06d4cfeb218de1cd41474 discovery infostealer miner persistence rat spyware stealer trojan vmprotect redline socelars vidar evasion
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Checks for common network interception software
  Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
  evasion
- XMRig Miner Payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops file in Drivers directory
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses 2FA software files, possible credential harvesting
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2