General
-
Target
Fd_1101_Stinger_2_key_generator.zip
-
Size
6.2MB
-
Sample
210716-438rh22xyj
-
MD5
492a9ef538f042b3151dcb6f4a560a94
-
SHA1
9bf73f8338b6620f16c6c9255da0c12dc471b2cc
-
SHA256
11f8b9a13f39e32f4e98f7681fb2fb8036f3e3ff7a402ee02a200fdfc287fbff
-
SHA512
f359f57c8672e74d09f2db9769f36a9a4698236c70c455ca7f1e7326ac728bb27ebcb0174d29ff6c97fdad582fa9e595ec2b385cb73c3d430cd192bcc647d7f8
Static task
static1
Behavioral task
behavioral1
Sample
Fd_1101_Stinger_2_key_generator.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Fd_1101_Stinger_2_key_generator.exe
Resource
win10v20210408
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
pony
http://www.oldhorse.info
Targets
-
-
Target
Fd_1101_Stinger_2_key_generator.exe
-
Size
6.3MB
-
MD5
d7f8b9609bab2cebf76aaaf6ae214421
-
SHA1
e2b219e5d2da2fec36413377627ebe28e3d9507e
-
SHA256
09a0e546b0b231e385c6e6202220dedfe62be7817980cdcb54b262f5eb0f2c86
-
SHA512
b72a0f84d0dae0fa688a8014ac77168462b86889cbb16c22b75b201f0db2157281f75df3595c8c9622b926f43b869edf1e3a014cb3249f48dfb5119b4c371cad
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-