General
-
Target
Vaz.2010.2.1.4.v.2.1.4.serial.number.keygen.zip
-
Size
4.0MB
-
Sample
210907-wq7rdadba9
-
MD5
7ba832654386f4cedbfedbffad95bc7f
-
SHA1
90947f2a0357283a9478be72bfa2c4605b135d9e
-
SHA256
4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66
-
SHA512
8e5fe6267ac226114e34e7aecdf4d16b93cc0b27eee8972050c0698f6983e248a80c6e8d248ab583eab76d748f60057b3662c7983cfdaae9a50bca2ff6486c70
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
metasploit
windows/single_exec
Extracted
raccoon
893ea79efb8c967cffd81d8aff5777bc60b45d38
-
url4cnc
https://telete.in/iphbarberleo
Extracted
redline
test
45.14.49.169:22411
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Extracted
redline
NORMAN3
45.14.49.184:28743
Extracted
redline
06.09
95.181.163.157:15089
Extracted
redline
185.215.113.29:8678
Extracted
redline
big_tastyyy
87.251.71.44:80
Extracted
vidar
40.5
937
https://gheorghip.tumblr.com/
-
profile_id
937
Extracted
redline
TEST
146.70.35.170:30905
Extracted
raccoon
93d3ccba4a3cbd5e268873fc1760b2335272e198
-
url4cnc
https://telete.in/opa4kiprivatem
Extracted
vidar
40.5
517
https://gheorghip.tumblr.com/
-
profile_id
517
Targets
-
-
Target
keygen-step-1.exe
-
Size
112KB
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
-
SHA1
6c3509ae64abc299a7afa13552c4fe430071f087
-
SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
-
SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
-
-
Target
keygen-step-3.exe
-
Size
873KB
-
MD5
265cadde82b0c66dc39ad2d9ee800754
-
SHA1
2e9604eade6951d5a5b4a44bee1281e32166f395
-
SHA256
40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
-
SHA512
c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Deletes itself
-
-
-
Target
keygen-step-4/Crack.exe
-
Size
56KB
-
MD5
7126148bfe5ca4bf7e098d794122a9a3
-
SHA1
3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64
-
SHA256
f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5
-
SHA512
0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
keygen-step-4/PBrowFile28.exe
-
Size
1.8MB
-
MD5
8902f8193024fa4187ca1aad97675960
-
SHA1
37a4840c9657205544790c437698b54ca33bfd9d
-
SHA256
95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f
-
SHA512
c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
XMRig Miner Payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
keygen-step-4/Setup.exe
-
Size
1.6MB
-
MD5
7009fb80a52366b6c2cd8ec052a65791
-
SHA1
db0894463edf3ac11e5ca4b4584e8f10d75810f6
-
SHA256
767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255
-
SHA512
26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079
Score10/10-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
rl_trojan
redline stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
keygen-step-4/f2217e5f.exe
-
Size
270KB
-
MD5
0388a1ce1bb8c076387b69ffcb3b40ec
-
SHA1
3ec08a53ec024d9be6346440848c37d0e0d7bb80
-
SHA256
448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a
-
SHA512
ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5
Score10/10-
Detected Djvu ransomeware
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
-
-
Target
keygen-step-4/md1_1eaf.exe
-
Size
991KB
-
MD5
f250a9c692088cce4253332a205b1649
-
SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20
-
SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882
-
SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e
Score7/10-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
keygen-step-4/ss.exe
-
Size
100KB
-
MD5
9a6071c1a67be3fb247f857fe5903bbf
-
SHA1
4a2e14763c51537e8695014007eceaf391a3f600
-
SHA256
01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c
-
SHA512
c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
keygen-step-6.exe
-
Size
267KB
-
MD5
093bc5ebd2d2a39d84c1d35fbd2d9efa
-
SHA1
e028ca17fe2c7cbf7ad234b28cd50ad2c7c440e5
-
SHA256
ee2994ea7f202516db816f85f23aac0a13ec32743d0555f81d68568bb40f4811
-
SHA512
da58e87b099d520f02715ffcf6b50e2a586b6baec5b64d5ee39fb4c4a81ee9b8c18c8e341ee8befcf9048088661d7f182a937a7948aacfac926f1710fa77bcfa
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
keygen.bat
-
Size
149B
-
MD5
0b2622826dd00820d5725440efd7d5f4
-
SHA1
0a9f8675e9b39a984267d402449a7f2291edfb17
-
SHA256
82723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f
-
SHA512
9f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Executes dropped EXE
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
4Scheduled Task
3Modify Existing Service
1Bootkit
1Defense Evasion
Virtualization/Sandbox Evasion
3Modify Registry
7Disabling Security Tools
1File Permissions Modification
1Install Root Certificate
2