azorult

Sharing

Copy URL

Twitter E-mail

General

Target

Skinpack_I_Icons_Win7_I_icons_crack_by_CORE.rar
Size

7.5MB
Sample

210711-76dh5taawe
MD5

167c77b0c179d78b7e3deb8e3c632d79
SHA1

9d1e16dc437edf21aeaf024c6c427885aee94e33
SHA256

fceea0cd8b2b0ed98eb55cd6713de63319b944c438b92ccbd4b38e299d4af1ed
SHA512

3688c1b4d85d6f87e8c5ab95b405d01889e0a2918927e0eee45bd13a6f76057e6db26900f0561cadff17bbd3482b0b063da7b074ca42a74b795c23d24bdb29c5

Score

10^/10

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

pony

http://www.oldhorse.info

Targets

- Target
  
  keygen-pr.exe
- Size
  
  1.7MB
- MD5
  
  65b49b106ec0f6cf61e7dc04c0a7eb74
- SHA1
  
  a1f4784377c53151167965e0ff225f5085ebd43b
- SHA256
  
  862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
- SHA512
  
  e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
Score

1^/10
behavioral1 behavioral2
- Target
  
  keygen-step-1.exe
- Size
  
  112KB
- MD5
  
  c615d0bfa727f494fee9ecb3f0acf563
- SHA1
  
  6c3509ae64abc299a7afa13552c4fe430071f087
- SHA256
  
  95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
- SHA512
  
  d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
Score

10^/10

azorult infostealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
behavioral3 behavioral4
- Target
  
  keygen-step-3.exe
- Size
  
  702KB
- MD5
  
  50a6b53785349a6b7b541987a47113c2
- SHA1
  
  7eb821979457c49965ef0b07db9238a088c5bf50
- SHA256
  
  7840eb65ce969feece9ee7acffe35e9c8fa357fe31ffb45cfeec8f780789bb05
- SHA512
  
  fe9dba5a520cc27b1ba2e13b032c13ee668f7061e1338ac7f024883604c6b03e3e76f36ec37645ff897f59f1876b8b92128b9fbdce46f927359d248dbae816a4
Score

7^/10
- Deletes itself
behavioral5 behavioral6
- Target
  
  keygen-step-4.exe
- Size
  
  4.5MB
- MD5
  
  a684e8527ee125f347c32dc151d7342e
- SHA1
  
  0df374dffd126153723de4b1276b76416c37e37a
- SHA256
  
  25cc003174132ee20eeb1c58f5c47d59b8e9695943eddca253b893497331afe5
- SHA512
  
  f95e254820dd9a29b52c0d61464ce1f90da7ebf1714da5f079a831346902116a9bca2e6517d23063a34d927ea599fd422bccb9314d1eb6a3310314c583469067
Score

10^/10

vmprotect socelars evasion persistence spyware stealer trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Sets DLL path for service in the registry
  persistence
- Sets service image path in registry
  persistence
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral7 behavioral8
- Target
  
  keygen-step-5.exe
- Size
  
  1.1MB
- MD5
  
  747f74fabfd75d98062a485981249675
- SHA1
  
  ae0f1726911463f6711f0f4077aaf0675e0f732a
- SHA256
  
  21517fbbdbdf6d0b77e35c00736adbeb025cb7050792ada79fb534c5733298c0
- SHA512
  
  7b790e759ea136534624366b693bf9f27919f58d987490500db0bd2ffba1406196fb0ec7c8e5121f8347f9aab49ef9f0c813025a19183d772e68f5350dccac4e
Score

8^/10
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral9 behavioral10
- Target
  
  keygen-step-6.exe
- Size
  
  249KB
- MD5
  
  b40756c7263aab67d11a6b0d9892b10a
- SHA1
  
  323b2d011e8e33171acdbfd2592e8b2564716588
- SHA256
  
  ad22b1e690fac416da97d49ff6a14c7f5ef7804bfadabff993e7bf9d2570c1fa
- SHA512
  
  9a8fe605aeb30ea968222fc6ae4aa6e9a2fe685b72d2e3f04c0303bdddcbd01607419a7ed3cc70f78c8615aff6f998ea45ab0d297079dcbeb07ebd587816ba9c
Score

7^/10
- Deletes itself
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral11 behavioral12
- Target
  
  keygen.bat
- Size
  
  175B
- MD5
  
  96969f73ab2c8e4be632cdbd0ead0760
- SHA1
  
  6f9a163ba4f938b063d24cd966af9b5abd8434fd
- SHA256
  
  04c2002de2cb5022e9c3b9325216ce74847f74166aa702eff6df01067930b49e
- SHA512
  
  261588c1e0a026be6ef3d35df77f52a5dc693c181be08d6c13110b59694497ec024fd751c54d3ca004312c02abb32c72ef61b824750eeccfe61c7f263ba1cab2
Score

10^/10

azorult pony discovery infostealer rat spyware stealer trojan vmprotect socelars evasion
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Pony,Fareit
  Pony is a Remote Access Trojan application that steals information.
  rat spyware stealer pony
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars Payload
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral13 behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Deletes itself

Process spawned unexpected child process

Socelars

Socelars Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Windows security bypass

Executes dropped EXE

Sets DLL path for service in the registry

Sets service image path in registry

VMProtect packed file

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Suspicious use of NtCreateThreadExHideFromDebugger

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Azorult

Pony,Fareit

Process spawned unexpected child process

Socelars

Socelars Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

VMProtect packed file

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14