azorult

General

Target

Adobe_Photoshop_keygen_by_KeygenSumo SAMPLE pw to decrypt 12345.zip
Size

7.3MB
Sample

210706-gnrr8bass6
MD5

6b7b5babbdb4cbf02c94d6275a36f396
SHA1

25baf55b64c65df92ced3cd0b4623051b75ef56e
SHA256

80b493fec3317ca7e26baf621065f285baa2de0a77477de921d292e456ced47a
SHA512

6e16bd334218265d57f41423238945b9430d5d7f1d29744b83debfb62144d45892114edb777c4472861233afda9e2208bca995238f761fc46f9ffaa8bf57f5dc

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Targets

- Target
  
  Adobe_Photoshop_keygen_by_KeygenSumo.exe
- Size
  
  7.5MB
- MD5
  
  676f24c8f005932c9c9e138c49456ca0
- SHA1
  
  728fccea88e1fd3ec318ce34e1e1e050e1667487
- SHA256
  
  96a55ae6109ea77a60d91b5220187c435412f4b0fafcc55eb3e2f768108cdeb0
- SHA512
  
  4a7dd7f9a8813b99089e87cb495abc145c9369060049f029140bea9a85ea08c5fd3d9a8527c0cd8fa42cad1f1a555a0ad2ed2f971ba94704940fdfab65fd7a8c
Score

10^/10

azorult pony raccoon redline xmrig discovery evasion infostealer miner persistence rat spyware stealer trojan vmprotect
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine Payload
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Nirsoft
- XMRig Miner Payload
  miner
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Drops startup file
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1