General
-
Target
Ddos_english_keygen.zip.zip
-
Size
5.3MB
-
Sample
210716-hexdsw2m5n
-
MD5
3e8cd1b832e6deed1b4bcc3a1b5d154b
-
SHA1
357855c3bad18b6065d4494a7da7af919bc0b3f8
-
SHA256
70f01cb499deb2e3371e7d362da0306a69be44b93858550beed0f01df312fce6
-
SHA512
caedd29cd2cc6f86a477b8e85cbe26652574c92ab87cbbfba949ecf3f3631733ef9d64f7ff4d44b505594d885ed62bb23f70b26db76213b79b6e8c68b765872c
Static task
static1
Behavioral task
behavioral1
Sample
Ddos_english_keygen.exe
Resource
win7v20210408
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
pony
http://www.oldhorse.info
Targets
-
-
Target
Ddos_english_keygen.exe
-
Size
5.5MB
-
MD5
4cd7e59617e0169ecd6dd30c0292f718
-
SHA1
5184308802c28f4ef88ac5328e9db884f9977980
-
SHA256
f8f2be3b12a0a2a2d34810d6c24791600cec3a8b60b77b5e2038f4c63b7e056f
-
SHA512
ab84fd09ed77c7a19a82d36556ebd5c91b49f1f9a5f5d3481d39b71e6c1c6c79a46d6449b297284c0145164be05cf735def5633b6ce1bbbb505ddd1a89c7c48a
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of SetThreadContext
-