Overview

overview

10

Static

static

10

keygen-step-1.exe

windows11_x64

10

keygen-step-1.exe

windows10_x64

10

keygen-step-1.exe

windows10_x64

10

keygen-step-3.exe

windows11_x64

10

keygen-step-3.exe

windows10_x64

8

keygen-step-3.exe

windows10_x64

8

keygen-ste...ck.exe

windows11_x64

10

keygen-ste...ck.exe

windows10_x64

10

keygen-ste...ck.exe

windows10_x64

10

keygen-ste...28.exe

windows11_x64

10

keygen-ste...28.exe

windows10_x64

10

keygen-ste...28.exe

windows10_x64

10

keygen-ste...up.exe

windows11_x64

10

keygen-ste...up.exe

windows10_x64

10

keygen-ste...up.exe

windows10_x64

10

keygen-ste...5f.exe

windows11_x64

10

keygen-ste...5f.exe

windows10_x64

keygen-ste...5f.exe

windows10_x64

10

keygen-ste...af.exe

windows11_x64

7

keygen-ste...af.exe

windows10_x64

7

keygen-ste...af.exe

windows10_x64

7

keygen-step-4/ss.exe

windows11_x64

10

keygen-step-4/ss.exe

windows10_x64

9

keygen-step-4/ss.exe

windows10_x64

9

keygen-step-6.exe

windows11_x64

6

keygen-step-6.exe

windows10_x64

6

keygen-step-6.exe

windows10_x64

6

keygen.bat

windows11_x64

10

keygen.bat

windows10_x64

10

keygen.bat

windows10_x64

10

Resubmissions

07-09-2021 18:08

210907-wq7rdadba9 10

07-09-2021 17:57

210907-wjxylagcfn 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Vaz.2010.2.1.4.v.2.1.4.serial.number.keygen.zip

  • Size

    4.0MB

  • Sample

    210907-wq7rdadba9

  • MD5

    7ba832654386f4cedbfedbffad95bc7f

  • SHA1

    90947f2a0357283a9478be72bfa2c4605b135d9e

  • SHA256

    4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66

  • SHA512

    8e5fe6267ac226114e34e7aecdf4d16b93cc0b27eee8972050c0698f6983e248a80c6e8d248ab583eab76d748f60057b3662c7983cfdaae9a50bca2ff6486c70

Score
10/10
azorultdjvugluptebametasploitraccoonredlinesmokeloadervidarxmrig06.09517893ea79efb8c967cffd81d8aff5777bc60b45d3893793d3ccba4a3cbd5e268873fc1760b2335272e198big_tastyyynorman3testbackdoorbootkitdiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

raccoon

Botnet

893ea79efb8c967cffd81d8aff5777bc60b45d38

Attributes
  • url4cnc

    https://telete.in/iphbarberleo

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

test

C2

45.14.49.169:22411

Extracted

Family

smokeloader

Version

2020

C2

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

NORMAN3

C2

45.14.49.184:28743

Extracted

Family

redline

Botnet

06.09

C2

95.181.163.157:15089

Extracted

Family

redline

C2

185.215.113.29:8678

Extracted

Family

redline

Botnet

big_tastyyy

C2

87.251.71.44:80

Extracted

Family

vidar

Version

40.5

Botnet

937

C2

https://gheorghip.tumblr.com/

Attributes
  • profile_id

    937

Extracted

Family

redline

Botnet

TEST

C2

146.70.35.170:30905

Extracted

Family

raccoon

Botnet

93d3ccba4a3cbd5e268873fc1760b2335272e198

Attributes
  • url4cnc

    https://telete.in/opa4kiprivatem

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

40.5

Botnet

517

C2

https://gheorghip.tumblr.com/

Attributes
  • profile_id

    517

Targets

    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult
    behavioral1behavioral2behavioral3

    • Target

      keygen-step-3.exe

    • Size

      873KB

    • MD5

      265cadde82b0c66dc39ad2d9ee800754

    • SHA1

      2e9604eade6951d5a5b4a44bee1281e32166f395

    • SHA256

      40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a

    • SHA512

      c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

    Score
    10/10

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • Deletes itself

    behavioral4behavioral5behavioral6

    • Target

      keygen-step-4/Crack.exe

    • Size

      56KB

    • MD5

      7126148bfe5ca4bf7e098d794122a9a3

    • SHA1

      3fe6be3ee8bf1a0c99139b146913c8c6acd7dd64

    • SHA256

      f8c0350d71e5dd14438d477f73915c4845290c7f0620656624722183b76013f5

    • SHA512

      0bec6450d1be17489436de7a5186dbcb88089edd4227c3b5484460c9368e5ca0a2d88c385d31989f449a5d8cc347057c80a997682d6c0ed1b9cfcb85c677eb48

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8behavioral9

    • Target

      keygen-step-4/PBrowFile28.exe

    • Size

      1.8MB

    • MD5

      8902f8193024fa4187ca1aad97675960

    • SHA1

      37a4840c9657205544790c437698b54ca33bfd9d

    • SHA256

      95de484851569f225488320d573e398ebc2312b2d85b6c2b255b63b21aebb82f

    • SHA512

      c351204604cb24c45ddb26847a22f5487a2942ad2b2361dbd31ce0a308c281be91658907d7fe04b483f053b7f9b0c680cae11361709ba7552f7921e727241938

    Score
    10/10
    gluptebametasploitxmrigbackdoordiscoverydropperevasionloaderminerpersistencespywarestealerthemidatrojan

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner Payload

      miner

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral10behavioral11behavioral12

    • Target

      keygen-step-4/Setup.exe

    • Size

      1.6MB

    • MD5

      7009fb80a52366b6c2cd8ec052a65791

    • SHA1

      db0894463edf3ac11e5ca4b4584e8f10d75810f6

    • SHA256

      767c546decf6f669263e4a0a87a0f5d92234e031e9a0de3733fa954a8f3e0255

    • SHA512

      26e50e4b3d0b5fe866423b9ae0c02f61882f632fe4a16c05da117c02fae9aea26a6c81458e4b0bc2bda8acd0407565132f8bd6b7d3e828dd90fc280b1f15f079

    Score
    10/10
    gluptebametasploitraccoonredlinesmokeloadervidar06.09893ea79efb8c967cffd81d8aff5777bc60b45d38norman3testbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojan937big_tastyyy

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba Payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • rl_trojan

      redline stealer.

      stealer

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14behavioral15

    • Target

      keygen-step-4/f2217e5f.exe

    • Size

      270KB

    • MD5

      0388a1ce1bb8c076387b69ffcb3b40ec

    • SHA1

      3ec08a53ec024d9be6346440848c37d0e0d7bb80

    • SHA256

      448febc4311881856de2c237285907fe9470818e169946b0dbf1362f332e070a

    • SHA512

      ea5af764d0373c8b9a5faf6d7094c76c9c321e227713bceecd49df50fa888e8fd04b1dfe16c4b75a8727717582b06383825e5d4317db1b875951ee240edd71d5

    Score
    10/10
    djvuraccoonredlinesmokeloader93d3ccba4a3cbd5e268873fc1760b2335272e198testbackdoorbootkitdiscoveryinfostealerpersistenceransomwarespywarestealertrojanvidar517

    • Detected Djvu ransomeware

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

      ransomwaredjvu

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine Payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Vidar Stealer

      stealer

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of SetThreadContext

    behavioral16behavioral17behavioral18

    • Target

      keygen-step-4/md1_1eaf.exe

    • Size

      991KB

    • MD5

      f250a9c692088cce4253332a205b1649

    • SHA1

      109c79124ce2bda06cab50ea5d97294d13d42b20

    • SHA256

      0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

    • SHA512

      80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

    Score
    7/10
    evasionspywarestealertrojan

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    behavioral19behavioral20behavioral21

    • Target

      keygen-step-4/ss.exe

    • Size

      100KB

    • MD5

      9a6071c1a67be3fb247f857fe5903bbf

    • SHA1

      4a2e14763c51537e8695014007eceaf391a3f600

    • SHA256

      01a9cb71df1d038bbec243ec7f2c1dd12d65a735297469c7f72be80886842e3c

    • SHA512

      c862ed8670b48e23b081e1c91280599ffdd963e714665b80553b41540cb3584c823a25f05c75e47eaea1473c687a9ef7c9a219d724d059e5bd77ac6d127f5e68

    Score
    10/10
    discoveryevasionpersistencespywarestealerthemidatrojan

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral22behavioral23behavioral24

    • Target

      keygen-step-6.exe

    • Size

      267KB

    • MD5

      093bc5ebd2d2a39d84c1d35fbd2d9efa

    • SHA1

      e028ca17fe2c7cbf7ad234b28cd50ad2c7c440e5

    • SHA256

      ee2994ea7f202516db816f85f23aac0a13ec32743d0555f81d68568bb40f4811

    • SHA512

      da58e87b099d520f02715ffcf6b50e2a586b6baec5b64d5ee39fb4c4a81ee9b8c18c8e341ee8befcf9048088661d7f182a937a7948aacfac926f1710fa77bcfa

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral25behavioral26behavioral27

    • Target

      keygen.bat

    • Size

      149B

    • MD5

      0b2622826dd00820d5725440efd7d5f4

    • SHA1

      0a9f8675e9b39a984267d402449a7f2291edfb17

    • SHA256

      82723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f

    • SHA512

      9f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3

    Score
    10/10
    azorultinfostealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral28behavioral29behavioral30

MITRE ATT&CK Enterprise v6

Tasks

static1

azorult
Score
10/10

behavioral1

azorultinfostealertrojan
Score
10/10

behavioral2

azorultinfostealertrojan
Score
10/10

behavioral3

azorultinfostealertrojan
Score
10/10

behavioral4

Score
10/10

behavioral5

Score
8/10

behavioral6

Score
8/10

behavioral7

Score
10/10

behavioral8

Score
10/10

behavioral9

Score
10/10

behavioral10

gluptebametasploitxmrigbackdoordiscoverydropperevasionloaderminerpersistencespywarestealerthemidatrojan
Score
10/10

behavioral11

gluptebametasploitxmrigbackdoordiscoverydropperevasionloaderminerpersistencespywarestealerthemidatrojan
Score
10/10

behavioral12

gluptebametasploitxmrigbackdoordiscoverydropperevasionloaderminerpersistencespywarestealerthemidatrojan
Score
10/10

behavioral13

gluptebametasploitraccoonredlinesmokeloadervidar06.09893ea79efb8c967cffd81d8aff5777bc60b45d38norman3testbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojan
Score
10/10

behavioral14

gluptebametasploitraccoonredlinevidar06.09893ea79efb8c967cffd81d8aff5777bc60b45d38937big_tastyyynorman3backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojan
Score
10/10

behavioral15

gluptebametasploitraccoonredlinesmokeloadervidar06.09893ea79efb8c967cffd81d8aff5777bc60b45d38937norman3testbackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojan
Score
10/10

behavioral16

Score
10/10

behavioral17

djvuraccoonredlinesmokeloader93d3ccba4a3cbd5e268873fc1760b2335272e198testbackdoorbootkitdiscoveryinfostealerpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral18

djvuredlinesmokeloadervidar517testbackdoorbootkitdiscoveryinfostealerpersistenceransomwarespywarestealertrojan
Score
10/10

behavioral19

evasionspywarestealertrojan
Score
7/10

behavioral20

evasionspywarestealertrojan
Score
7/10

behavioral21

evasionspywarestealertrojan
Score
7/10

behavioral22

discoveryevasionpersistencespywarestealerthemidatrojan
Score
10/10

behavioral23

discoveryevasionpersistencespywarestealerthemidatrojan
Score
9/10

behavioral24

discoveryevasionpersistencespywarestealerthemidatrojan
Score
9/10

behavioral25

Score
6/10

behavioral26

Score
6/10

behavioral27

Score
6/10

behavioral28

azorultinfostealertrojan
Score
10/10

behavioral29

azorultinfostealertrojan
Score
10/10

behavioral30

azorultinfostealertrojan
Score
10/10