Overview
overview
10Static
static
10keygen-step-1.exe
windows7_x64
10keygen-step-1.exe
windows10_x64
10keygen-step-3.exe
windows7_x64
1keygen-step-3.exe
windows10_x64
7keygen-step-4.exe
windows7_x64
8keygen-step-4.exe
windows10_x64
10keygen-ste...ck.exe
windows7_x64
3keygen-ste...ck.exe
windows10_x64
10keygen-ste...33.exe
windows7_x64
9keygen-ste...33.exe
windows10_x64
9keygen-ste...H1.exe
windows7_x64
8keygen-ste...H1.exe
windows10_x64
8keygen-ste...ll.exe
windows7_x64
keygen-ste...ll.exe
windows10_x64
10keygen-ste...up.exe
windows7_x64
10keygen-ste...up.exe
windows10_x64
10keygen-step-4/low.exe
windows7_x64
10keygen-step-4/low.exe
windows10_x64
10keygen-ste...af.exe
windows7_x64
7keygen-ste...af.exe
windows10_x64
7keygen-ste...b1.exe
windows7_x64
10keygen-ste...b1.exe
windows10_x64
10keygen-step-6.exe
windows7_x64
6keygen-step-6.exe
windows10_x64
6keygen.bat
windows7_x64
10keygen.bat
windows10_x64
10General
-
Target
Total.Recall.Data.Recovery.Sof.key.generator.by.orion.zip
-
Size
8.9MB
-
Sample
211016-hmkksacegm
-
MD5
74262ca50d44b86778b24ca91c2f78c2
-
SHA1
b5e97fc3163766e09c9dd98298854ffe94136b14
-
SHA256
12044edcb89b6026021208f988f3ae17848d6bc11c4dcf7b5b9604ba93ca894a
-
SHA512
4f246699437080f72006fc21ee2a7c45d1578f0e6ec3e313275fe9506ed3edb191c160b28bb34c54dc16ccc1413a09b8b94ecd4d62ea4e631877989a49820421
Behavioral task
behavioral1
Sample
keygen-step-1.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
keygen-step-1.exe
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
keygen-step-3.exe
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
keygen-step-3.exe
Resource
win10-en-20210920
Behavioral task
behavioral5
Sample
keygen-step-4.exe
Resource
win7-en-20210920
Behavioral task
behavioral6
Sample
keygen-step-4.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
keygen-step-4/Crack.exe
Resource
win7-en-20210920
Behavioral task
behavioral8
Sample
keygen-step-4/Crack.exe
Resource
win10-en-20211014
Behavioral task
behavioral9
Sample
keygen-step-4/DownFlSetup133.exe
Resource
win7-en-20210920
Behavioral task
behavioral10
Sample
keygen-step-4/DownFlSetup133.exe
Resource
win10-en-20211014
Behavioral task
behavioral11
Sample
keygen-step-4/IDWCH1.exe
Resource
win7-en-20210920
Behavioral task
behavioral12
Sample
keygen-step-4/IDWCH1.exe
Resource
win10-en-20210920
Behavioral task
behavioral13
Sample
keygen-step-4/Install.exe
Resource
win7-en-20211014
Behavioral task
behavioral14
Sample
keygen-step-4/Install.exe
Resource
win10-en-20210920
Behavioral task
behavioral15
Sample
keygen-step-4/Setup.exe
Resource
win7-en-20211014
Behavioral task
behavioral16
Sample
keygen-step-4/Setup.exe
Resource
win10-en-20210920
Behavioral task
behavioral17
Sample
keygen-step-4/low.exe
Resource
win7-en-20211014
Behavioral task
behavioral18
Sample
keygen-step-4/low.exe
Resource
win10-en-20210920
Behavioral task
behavioral19
Sample
keygen-step-4/md1_1eaf.exe
Resource
win7-en-20210920
Behavioral task
behavioral20
Sample
keygen-step-4/md1_1eaf.exe
Resource
win10-en-20211014
Behavioral task
behavioral21
Sample
keygen-step-4/pub1.exe
Resource
win7-en-20210920
Behavioral task
behavioral22
Sample
keygen-step-4/pub1.exe
Resource
win10-en-20211014
Behavioral task
behavioral23
Sample
keygen-step-6.exe
Resource
win7-en-20210920
Behavioral task
behavioral24
Sample
keygen-step-6.exe
Resource
win10-en-20211014
Behavioral task
behavioral25
Sample
keygen.bat
Resource
win7-en-20210920
Behavioral task
behavioral26
Sample
keygen.bat
Resource
win10-en-20210920
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Targets
-
-
Target
keygen-step-1.exe
-
Size
112KB
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
-
SHA1
6c3509ae64abc299a7afa13552c4fe430071f087
-
SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
-
SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE AZORult v3.3 Server Response M3
suricata: ET MALWARE AZORult v3.3 Server Response M3
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
-
Deletes itself
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
keygen-step-3.exe
-
Size
870KB
-
MD5
6eca38830ad4ade1839cae2f53a26c2c
-
SHA1
497915c95a45911dd65f278f5e84a23fcabc08d0
-
SHA256
6c1a6e6ee005c455f692a01ded526a040ecb351ed80e7b0f70761d5edc96c884
-
SHA512
c9ba70e8d359768920277e8005c77c8a0d3412f3acdfc500c0987909b92ce2273226803ca390f5176a6b0eea117b6159a01f4ec755a787fc5c7c3a26be83af82
-
-
-
Target
keygen-step-4.exe
-
Size
4.3MB
-
MD5
0fbf068bab86c0fa123e8211ff92ade5
-
SHA1
7888a0db5569288d1b11b36620ede09f9401ecc8
-
SHA256
fd12164ece518635296ebae00c8c5d063a4deb9ee781543115522741faf8df86
-
SHA512
c8affc5c4a0f044275ef3e6b77fd05fda3ef54bd5833c13016857eb2b5f0c089ac5a10797945d48465f024a994bca43fbb1bfb7d697f69b83230cd7491ef1ba5
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars Payload
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
keygen-step-4/Crack.exe
-
Size
89KB
-
MD5
da3e5208d9182ffa5b46087596c64dfe
-
SHA1
4b0848af9eeb8846af0200e16243d98b4bc74cb9
-
SHA256
dd3403e0d473095cc2caebf4b0a3f82ab36574e0e7bb4fb0de5c854f78cd53ae
-
SHA512
980d06ea567591a5940c47b56a553b860bf04be673440ea31396df128bb75767e9d1eedc7f7bccd81e03575633b92b52aacbe6519b37a2d8cf70991e137f33b2
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
keygen-step-4/DownFlSetup133.exe
-
Size
62KB
-
MD5
c53f7f5d2238fc61fe7bbc08fbce924a
-
SHA1
079782d9df550aed0511fcf278bedc3385d189d3
-
SHA256
9d7a0737450e920bac9c9af8584bc8eda9a888a92e778e0dfa2b459651750de2
-
SHA512
280dbcdaa9492c670627b730fe48a65a259909df6b072eb5f6ae23da456621730d88c6b2a5a41c3a94d28de1d5862f7da26d45d0ea820a61a35f2fff9e57ee53
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
keygen-step-4/IDWCH1.exe
-
Size
484KB
-
MD5
d9f500d47d763f70e15b084dd32ae731
-
SHA1
701f85cc50ed9c75ce47294d5de0ee7887ea082a
-
SHA256
c7074ace7579d79e804da50b9c14700f5a8017f180fb7f1eaf5fe52d13e42424
-
SHA512
cf80024c539addf43da8d26a9072969b8851d43a7eb46c81439dbf31f7b3ad4fa2de53396dd0c857ad5d354f912706a4f9681a5f1665beb7e94f3aa52d24c590
Score8/10-
Executes dropped EXE
-
Loads dropped DLL
-
-
-
Target
keygen-step-4/Install.exe
-
Size
900KB
-
MD5
1a33ab6609940ea3591ce553d455ab05
-
SHA1
18a85b7e549484fe87b1007f14edce31512a4eee
-
SHA256
e963f8afc089bc66b203c279775ede3aea8a47c99b1a8383bc16b6e484d3a288
-
SHA512
71936619888a9c06ab083e4a867c8b9a7ed5f5a189850728382b4eddfb7ed7eb51a198cbe36ccb72c6062aea49a0d99908a9e1fba342b3f12a7365b5d4220392
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
keygen-step-4/Setup.exe
-
Size
1.4MB
-
MD5
9cb194c753bfe5359de498bc45dda61a
-
SHA1
f17fbb2c2ac58390645fc47f1767624c4c2ae3c3
-
SHA256
530f6bb06a8e947643a117d07dcdb63cdefec3b8789333b284b15f264421b731
-
SHA512
136c9aaf3203944c3d3aa30c351bc2002c3ae667f8115e8e35b31301ea25c2781bc5d38acb90d27d35b22641155782496325c17f18bc3316c7c5ef6768b5c067
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
keygen-step-4/low.exe
-
Size
336KB
-
MD5
95474ed3f97fb7167dff3990ff0155ec
-
SHA1
b55c38792f78c5f76f2f2ee656f24f59390fb0f6
-
SHA256
5e6b720e26146efd236e9c18c834f28723b9f182d9ce85d1c833ac3f8311eed0
-
SHA512
8bf50f00aa7d0f5c4e5f4c6eeb93131768bb2e974e5edd73453db6d64bcbf90f088f324102df6b17311dff268f79a4ef6357da609ada7440229563f09aefd956
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
Deletes itself
-
-
-
Target
keygen-step-4/md1_1eaf.exe
-
Size
2.1MB
-
MD5
4909c6380fbbd6a069d022bdc918bf7d
-
SHA1
d3ec258ac6469bb6039e7a3336a4994f1cc44e7b
-
SHA256
4471b4d453b3bb35e6838e078b5fdc944b689c3ff51947482fc02d8e351fa0fd
-
SHA512
39c068d0bbe6dde881ed2aefdeec35afa29a30923e167bad1376f4bdd3500961dcac7b2043370738f7edc5f468d79de787f909b8f65b7115d02b27721b435f8a
-
Legitimate hosting services abused for malware hosting/C2
-
-
-
Target
keygen-step-4/pub1.exe
-
Size
292KB
-
MD5
21d97164ae557fe9f699de68ed6b2e26
-
SHA1
54f3d96addce8823edcd6b09a8ed59be31ed20b4
-
SHA256
45fc5cfccbb4088e43a65c0c53ec4d2486317f87ba4d06da4d66278d8025381d
-
SHA512
b5485e5855ba81e457bf1a6c0b04de4ba1f60f2c87f7f6a23266d565496a713717a4327ee0cfd77b83e21c69309f05a2e7e37601cb5dd62eb03fc22933c3b64f
Score10/10-
Deletes itself
-
-
-
Target
keygen-step-6.exe
-
Size
259KB
-
MD5
8a68b15e1ac9fb79edb7234c4c3a3d15
-
SHA1
44dba002891c289a4b6f3786ee6ffb78f36cf905
-
SHA256
cb37fca86de8379826ad03e0aec2cb160b072a07e57b0090c67648c7602edd54
-
SHA512
66dc4fec06eae44b59f31ca6c40f91d4fa6d0aaa3b65734c53c251bc899acb07e955ab22cfb7200d0f78e7ac288f3bfab280c05646eef38ac5589b506f54e70a
Score6/10-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
keygen.bat
-
Size
149B
-
MD5
0b2622826dd00820d5725440efd7d5f4
-
SHA1
0a9f8675e9b39a984267d402449a7f2291edfb17
-
SHA256
82723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f
-
SHA512
9f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
suricata: ET MALWARE ClipBanker Variant Activity (POST)
suricata: ET MALWARE ClipBanker Variant Activity (POST)
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-