General
-
Target
Adobe_Photoshop_keygen_by_KeygenSumo SAMPLE pw to decrypt 12345.zip
-
Size
7.3MB
-
Sample
210706-gnrr8bass6
-
MD5
6b7b5babbdb4cbf02c94d6275a36f396
-
SHA1
25baf55b64c65df92ced3cd0b4623051b75ef56e
-
SHA256
80b493fec3317ca7e26baf621065f285baa2de0a77477de921d292e456ced47a
-
SHA512
6e16bd334218265d57f41423238945b9430d5d7f1d29744b83debfb62144d45892114edb777c4472861233afda9e2208bca995238f761fc46f9ffaa8bf57f5dc
Static task
static1
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Targets
-
-
Target
Adobe_Photoshop_keygen_by_KeygenSumo.exe
-
Size
7.5MB
-
MD5
676f24c8f005932c9c9e138c49456ca0
-
SHA1
728fccea88e1fd3ec318ce34e1e1e050e1667487
-
SHA256
96a55ae6109ea77a60d91b5220187c435412f4b0fafcc55eb3e2f768108cdeb0
-
SHA512
4a7dd7f9a8813b99089e87cb495abc145c9369060049f029140bea9a85ea08c5fd3d9a8527c0cd8fa42cad1f1a555a0ad2ed2f971ba94704940fdfab65fd7a8c
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
Turns off Windows Defender SpyNet reporting
-
Nirsoft
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-