General
-
Target
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno.rar
-
Size
42.3MB
-
Sample
210713-9172fbfz2a
-
MD5
d1664c9ab6a746a94eb65af3f3b2c7e6
-
SHA1
5e7f7c4c8803307f8516fcdd82a4483221aad601
-
SHA256
a440b889316f97b32bc47fc8fb898e708879ae0d12e5addf5849a9e1adcbdae1
-
SHA512
e338e92f743361248acfb1bdbb1421679920b0d4e471bd12058686f85891839c66d68ca71368a3f48e0e2bcac660073d04c2e7b59e53a6c4b40907aa75e8db9c
Static task
static1
Behavioral task
behavioral1
Sample
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (2).exe
Resource
win10v20210410
Behavioral task
behavioral2
Sample
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (3).exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (4).exe
Resource
win10v20210410
Behavioral task
behavioral4
Sample
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (5).exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия.exe
Resource
win10v20210410
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
pony
http://www.oldhorse.info
Targets
-
-
Target
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (2).exe
-
Size
7.2MB
-
MD5
0c39567304de3ca2ef9c5462f7dd8e10
-
SHA1
44d807478600fec588ce96b813706dc3bbd228c2
-
SHA256
a6d9bab76d63946a505e8064545340dcafb429fd1f8d85464405a93e0c2740b6
-
SHA512
bcf1bb2ff8da69d69b8abace61cf3c359fbe03038a9f25bd5c7abea7056e3335134100f1fe762a59950286ad899cee3a697150109fed627049c15a1c789fac2a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (3).exe
-
Size
7.2MB
-
MD5
0c39567304de3ca2ef9c5462f7dd8e10
-
SHA1
44d807478600fec588ce96b813706dc3bbd228c2
-
SHA256
a6d9bab76d63946a505e8064545340dcafb429fd1f8d85464405a93e0c2740b6
-
SHA512
bcf1bb2ff8da69d69b8abace61cf3c359fbe03038a9f25bd5c7abea7056e3335134100f1fe762a59950286ad899cee3a697150109fed627049c15a1c789fac2a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (4).exe
-
Size
7.2MB
-
MD5
0c39567304de3ca2ef9c5462f7dd8e10
-
SHA1
44d807478600fec588ce96b813706dc3bbd228c2
-
SHA256
a6d9bab76d63946a505e8064545340dcafb429fd1f8d85464405a93e0c2740b6
-
SHA512
bcf1bb2ff8da69d69b8abace61cf3c359fbe03038a9f25bd5c7abea7056e3335134100f1fe762a59950286ad899cee3a697150109fed627049c15a1c789fac2a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия (5).exe
-
Size
7.2MB
-
MD5
0c39567304de3ca2ef9c5462f7dd8e10
-
SHA1
44d807478600fec588ce96b813706dc3bbd228c2
-
SHA256
a6d9bab76d63946a505e8064545340dcafb429fd1f8d85464405a93e0c2740b6
-
SHA512
bcf1bb2ff8da69d69b8abace61cf3c359fbe03038a9f25bd5c7abea7056e3335134100f1fe762a59950286ad899cee3a697150109fed627049c15a1c789fac2a
Score1/10 -
-
-
Target
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno - копия.exe
-
Size
7.2MB
-
MD5
0c39567304de3ca2ef9c5462f7dd8e10
-
SHA1
44d807478600fec588ce96b813706dc3bbd228c2
-
SHA256
a6d9bab76d63946a505e8064545340dcafb429fd1f8d85464405a93e0c2740b6
-
SHA512
bcf1bb2ff8da69d69b8abace61cf3c359fbe03038a9f25bd5c7abea7056e3335134100f1fe762a59950286ad899cee3a697150109fed627049c15a1c789fac2a
Score1/10 -
-
-
Target
Infix.Pdf.Editor.Version.5.2.3.serial.keys.gen.by.Inferno.exe
-
Size
7.2MB
-
MD5
0c39567304de3ca2ef9c5462f7dd8e10
-
SHA1
44d807478600fec588ce96b813706dc3bbd228c2
-
SHA256
a6d9bab76d63946a505e8064545340dcafb429fd1f8d85464405a93e0c2740b6
-
SHA512
bcf1bb2ff8da69d69b8abace61cf3c359fbe03038a9f25bd5c7abea7056e3335134100f1fe762a59950286ad899cee3a697150109fed627049c15a1c789fac2a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Executes dropped EXE
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-