Overview
overview
10Static
static
10keygen-pr.exe
windows7_x64
1keygen-pr.exe
windows10_x64
1keygen-step-1.exe
windows7_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-3.exe
windows7_x64
7keygen-step-3.exe
windows10_x64
1keygen-step-4.exe
windows7_x64
10keygen-step-4.exe
windows10_x64
keygen-step-5.exe
windows7_x64
8keygen-step-5.exe
windows10_x64
8keygen-step-6.exe
windows7_x64
7keygen-step-6.exe
windows10_x64
6keygen.bat
windows7_x64
10keygen.bat
windows10_x64
General
-
Target
Skinpack_I_Icons_Win7_I_icons_crack_by_CORE.rar
-
Size
7.5MB
-
Sample
210711-76dh5taawe
-
MD5
167c77b0c179d78b7e3deb8e3c632d79
-
SHA1
9d1e16dc437edf21aeaf024c6c427885aee94e33
-
SHA256
fceea0cd8b2b0ed98eb55cd6713de63319b944c438b92ccbd4b38e299d4af1ed
-
SHA512
3688c1b4d85d6f87e8c5ab95b405d01889e0a2918927e0eee45bd13a6f76057e6db26900f0561cadff17bbd3482b0b063da7b074ca42a74b795c23d24bdb29c5
Static task
static1
Behavioral task
behavioral1
Sample
keygen-pr.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
keygen-pr.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
keygen-step-1.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
keygen-step-1.exe
Resource
win10v20210410
Behavioral task
behavioral5
Sample
keygen-step-3.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
keygen-step-3.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
keygen-step-4.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
keygen-step-5.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
keygen-step-5.exe
Resource
win10v20210408
Behavioral task
behavioral11
Sample
keygen-step-6.exe
Resource
win7v20210410
Behavioral task
behavioral12
Sample
keygen-step-6.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
keygen.bat
Resource
win7v20210408
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
pony
http://www.oldhorse.info
Targets
-
-
Target
keygen-pr.exe
-
Size
1.7MB
-
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74
-
SHA1
a1f4784377c53151167965e0ff225f5085ebd43b
-
SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
-
SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
Score1/10 -
-
-
Target
keygen-step-1.exe
-
Size
112KB
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
-
SHA1
6c3509ae64abc299a7afa13552c4fe430071f087
-
SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
-
SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
-
-
Target
keygen-step-3.exe
-
Size
702KB
-
MD5
50a6b53785349a6b7b541987a47113c2
-
SHA1
7eb821979457c49965ef0b07db9238a088c5bf50
-
SHA256
7840eb65ce969feece9ee7acffe35e9c8fa357fe31ffb45cfeec8f780789bb05
-
SHA512
fe9dba5a520cc27b1ba2e13b032c13ee668f7061e1338ac7f024883604c6b03e3e76f36ec37645ff897f59f1876b8b92128b9fbdce46f927359d248dbae816a4
Score7/10-
Deletes itself
-
-
-
Target
keygen-step-4.exe
-
Size
4.5MB
-
MD5
a684e8527ee125f347c32dc151d7342e
-
SHA1
0df374dffd126153723de4b1276b76416c37e37a
-
SHA256
25cc003174132ee20eeb1c58f5c47d59b8e9695943eddca253b893497331afe5
-
SHA512
f95e254820dd9a29b52c0d61464ce1f90da7ebf1714da5f079a831346902116a9bca2e6517d23063a34d927ea599fd422bccb9314d1eb6a3310314c583469067
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
keygen-step-5.exe
-
Size
1.1MB
-
MD5
747f74fabfd75d98062a485981249675
-
SHA1
ae0f1726911463f6711f0f4077aaf0675e0f732a
-
SHA256
21517fbbdbdf6d0b77e35c00736adbeb025cb7050792ada79fb534c5733298c0
-
SHA512
7b790e759ea136534624366b693bf9f27919f58d987490500db0bd2ffba1406196fb0ec7c8e5121f8347f9aab49ef9f0c813025a19183d772e68f5350dccac4e
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
-
-
Target
keygen-step-6.exe
-
Size
249KB
-
MD5
b40756c7263aab67d11a6b0d9892b10a
-
SHA1
323b2d011e8e33171acdbfd2592e8b2564716588
-
SHA256
ad22b1e690fac416da97d49ff6a14c7f5ef7804bfadabff993e7bf9d2570c1fa
-
SHA512
9a8fe605aeb30ea968222fc6ae4aa6e9a2fe685b72d2e3f04c0303bdddcbd01607419a7ed3cc70f78c8615aff6f998ea45ab0d297079dcbeb07ebd587816ba9c
Score7/10-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
keygen.bat
-
Size
175B
-
MD5
96969f73ab2c8e4be632cdbd0ead0760
-
SHA1
6f9a163ba4f938b063d24cd966af9b5abd8434fd
-
SHA256
04c2002de2cb5022e9c3b9325216ce74847f74166aa702eff6df01067930b49e
-
SHA512
261588c1e0a026be6ef3d35df77f52a5dc693c181be08d6c13110b59694497ec024fd751c54d3ca004312c02abb32c72ef61b824750eeccfe61c7f263ba1cab2
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-