Overview

overview

10

Static

static

10

keygen-step-1.exe

windows7_x64

10

keygen-step-1.exe

windows10_x64

10

keygen-step-3.exe

windows7_x64

1

keygen-step-3.exe

windows10_x64

7

keygen-step-4.exe

windows7_x64

8

keygen-step-4.exe

windows10_x64

10

keygen-ste...ck.exe

windows7_x64

3

keygen-ste...ck.exe

windows10_x64

10

keygen-ste...33.exe

windows7_x64

9

keygen-ste...33.exe

windows10_x64

9

keygen-ste...H1.exe

windows7_x64

8

keygen-ste...H1.exe

windows10_x64

8

keygen-ste...ll.exe

windows7_x64

keygen-ste...ll.exe

windows10_x64

10

keygen-ste...up.exe

windows7_x64

10

keygen-ste...up.exe

windows10_x64

10

keygen-step-4/low.exe

windows7_x64

10

keygen-step-4/low.exe

windows10_x64

10

keygen-ste...af.exe

windows7_x64

7

keygen-ste...af.exe

windows10_x64

7

keygen-ste...b1.exe

windows7_x64

10

keygen-ste...b1.exe

windows10_x64

10

keygen-step-6.exe

windows7_x64

6

keygen-step-6.exe

windows10_x64

6

keygen.bat

windows7_x64

10

keygen.bat

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Total.Recall.Data.Recovery.Sof.key.generator.by.orion.zip

  • Size

    8.9MB

  • Sample

    211016-hmkksacegm

  • MD5

    74262ca50d44b86778b24ca91c2f78c2

  • SHA1

    b5e97fc3163766e09c9dd98298854ffe94136b14

  • SHA256

    12044edcb89b6026021208f988f3ae17848d6bc11c4dcf7b5b9604ba93ca894a

  • SHA512

    4f246699437080f72006fc21ee2a7c45d1578f0e6ec3e313275fe9506ed3edb191c160b28bb34c54dc16ccc1413a09b8b94ecd4d62ea4e631877989a49820421

Score
10/10
azorultsmokeloadersocelarsbackdoorcollectiondiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32

Targets

    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    Score
    10/10
    azorultcollectiondiscoveryinfostealerspywarestealersuricatatrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • suricata: ET MALWARE AZORult v3.3 Server Response M3

      suricata: ET MALWARE AZORult v3.3 Server Response M3

      suricata

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

      suricata

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6

      suricata

    • Deletes itself

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral1behavioral2

    • Target

      keygen-step-3.exe

    • Size

      870KB

    • MD5

      6eca38830ad4ade1839cae2f53a26c2c

    • SHA1

      497915c95a45911dd65f278f5e84a23fcabc08d0

    • SHA256

      6c1a6e6ee005c455f692a01ded526a040ecb351ed80e7b0f70761d5edc96c884

    • SHA512

      c9ba70e8d359768920277e8005c77c8a0d3412f3acdfc500c0987909b92ce2273226803ca390f5176a6b0eea117b6159a01f4ec755a787fc5c7c3a26be83af82

    Score
    7/10
    spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral3behavioral4

    • Target

      keygen-step-4.exe

    • Size

      4.3MB

    • MD5

      0fbf068bab86c0fa123e8211ff92ade5

    • SHA1

      7888a0db5569288d1b11b36620ede09f9401ecc8

    • SHA256

      fd12164ece518635296ebae00c8c5d063a4deb9ee781543115522741faf8df86

    • SHA512

      c8affc5c4a0f044275ef3e6b77fd05fda3ef54bd5833c13016857eb2b5f0c089ac5a10797945d48465f024a994bca43fbb1bfb7d697f69b83230cd7491ef1ba5

    Score
    10/10
    smokeloadersocelarsbackdoordiscoveryevasionpersistencespywarestealersuricatathemidatrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Socelars Payload

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      keygen-step-4/Crack.exe

    • Size

      89KB

    • MD5

      da3e5208d9182ffa5b46087596c64dfe

    • SHA1

      4b0848af9eeb8846af0200e16243d98b4bc74cb9

    • SHA256

      dd3403e0d473095cc2caebf4b0a3f82ab36574e0e7bb4fb0de5c854f78cd53ae

    • SHA512

      980d06ea567591a5940c47b56a553b860bf04be673440ea31396df128bb75767e9d1eedc7f7bccd81e03575633b92b52aacbe6519b37a2d8cf70991e137f33b2

    Score
    10/10
    suricata

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      keygen-step-4/DownFlSetup133.exe

    • Size

      62KB

    • MD5

      c53f7f5d2238fc61fe7bbc08fbce924a

    • SHA1

      079782d9df550aed0511fcf278bedc3385d189d3

    • SHA256

      9d7a0737450e920bac9c9af8584bc8eda9a888a92e778e0dfa2b459651750de2

    • SHA512

      280dbcdaa9492c670627b730fe48a65a259909df6b072eb5f6ae23da456621730d88c6b2a5a41c3a94d28de1d5862f7da26d45d0ea820a61a35f2fff9e57ee53

    Score
    9/10
    discoveryevasionpersistencespywarestealerthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral9behavioral10

    • Target

      keygen-step-4/IDWCH1.exe

    • Size

      484KB

    • MD5

      d9f500d47d763f70e15b084dd32ae731

    • SHA1

      701f85cc50ed9c75ce47294d5de0ee7887ea082a

    • SHA256

      c7074ace7579d79e804da50b9c14700f5a8017f180fb7f1eaf5fe52d13e42424

    • SHA512

      cf80024c539addf43da8d26a9072969b8851d43a7eb46c81439dbf31f7b3ad4fa2de53396dd0c857ad5d354f912706a4f9681a5f1665beb7e94f3aa52d24c590

    Score
    8/10

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral11behavioral12

    • Target

      keygen-step-4/Install.exe

    • Size

      900KB

    • MD5

      1a33ab6609940ea3591ce553d455ab05

    • SHA1

      18a85b7e549484fe87b1007f14edce31512a4eee

    • SHA256

      e963f8afc089bc66b203c279775ede3aea8a47c99b1a8383bc16b6e484d3a288

    • SHA512

      71936619888a9c06ab083e4a867c8b9a7ed5f5a189850728382b4eddfb7ed7eb51a198cbe36ccb72c6062aea49a0d99908a9e1fba342b3f12a7365b5d4220392

    Score
    10/10
    spywarestealer

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral13behavioral14

    • Target

      keygen-step-4/Setup.exe

    • Size

      1.4MB

    • MD5

      9cb194c753bfe5359de498bc45dda61a

    • SHA1

      f17fbb2c2ac58390645fc47f1767624c4c2ae3c3

    • SHA256

      530f6bb06a8e947643a117d07dcdb63cdefec3b8789333b284b15f264421b731

    • SHA512

      136c9aaf3203944c3d3aa30c351bc2002c3ae667f8115e8e35b31301ea25c2781bc5d38acb90d27d35b22641155782496325c17f18bc3316c7c5ef6768b5c067

    Score
    10/10
    socelarsdiscoveryspywarestealer

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

      stealersocelars

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral15behavioral16

    • Target

      keygen-step-4/low.exe

    • Size

      336KB

    • MD5

      95474ed3f97fb7167dff3990ff0155ec

    • SHA1

      b55c38792f78c5f76f2f2ee656f24f59390fb0f6

    • SHA256

      5e6b720e26146efd236e9c18c834f28723b9f182d9ce85d1c833ac3f8311eed0

    • SHA512

      8bf50f00aa7d0f5c4e5f4c6eeb93131768bb2e974e5edd73453db6d64bcbf90f088f324102df6b17311dff268f79a4ef6357da609ada7440229563f09aefd956

    Score
    10/10
    suricata

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • Deletes itself

    behavioral17behavioral18

    • Target

      keygen-step-4/md1_1eaf.exe

    • Size

      2.1MB

    • MD5

      4909c6380fbbd6a069d022bdc918bf7d

    • SHA1

      d3ec258ac6469bb6039e7a3336a4994f1cc44e7b

    • SHA256

      4471b4d453b3bb35e6838e078b5fdc944b689c3ff51947482fc02d8e351fa0fd

    • SHA512

      39c068d0bbe6dde881ed2aefdeec35afa29a30923e167bad1376f4bdd3500961dcac7b2043370738f7edc5f468d79de787f909b8f65b7115d02b27721b435f8a

    Score
    7/10
    spywarestealerevasiontrojan

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    behavioral19behavioral20

    • Target

      keygen-step-4/pub1.exe

    • Size

      292KB

    • MD5

      21d97164ae557fe9f699de68ed6b2e26

    • SHA1

      54f3d96addce8823edcd6b09a8ed59be31ed20b4

    • SHA256

      45fc5cfccbb4088e43a65c0c53ec4d2486317f87ba4d06da4d66278d8025381d

    • SHA512

      b5485e5855ba81e457bf1a6c0b04de4ba1f60f2c87f7f6a23266d565496a713717a4327ee0cfd77b83e21c69309f05a2e7e37601cb5dd62eb03fc22933c3b64f

    Score
    10/10
    smokeloaderbackdoortrojan
    behavioral21behavioral22

    • Target

      keygen-step-6.exe

    • Size

      259KB

    • MD5

      8a68b15e1ac9fb79edb7234c4c3a3d15

    • SHA1

      44dba002891c289a4b6f3786ee6ffb78f36cf905

    • SHA256

      cb37fca86de8379826ad03e0aec2cb160b072a07e57b0090c67648c7602edd54

    • SHA512

      66dc4fec06eae44b59f31ca6c40f91d4fa6d0aaa3b65734c53c251bc899acb07e955ab22cfb7200d0f78e7ac288f3bfab280c05646eef38ac5589b506f54e70a

    Score
    6/10

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral23behavioral24

    • Target

      keygen.bat

    • Size

      149B

    • MD5

      0b2622826dd00820d5725440efd7d5f4

    • SHA1

      0a9f8675e9b39a984267d402449a7f2291edfb17

    • SHA256

      82723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f

    • SHA512

      9f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3

    Score
    10/10
    azorultinfostealersuricatatrojansmokeloaderbackdoordiscoveryevasionpersistencespywarestealerthemida

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata: ET MALWARE ClipBanker Variant Activity (POST)

      suricata

    • suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata: ET MALWARE GCleaner Downloader Activity M5

      suricata

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18

      suricata

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

3
T1497

Modify Registry

6
T1112

Install Root Certificate

3
T1130

Credential Access

Credentials in Files

15
T1081

Discovery

Query Registry

18
T1012

System Information Discovery

21
T1082

Remote System Discovery

2
T1018

Virtualization/Sandbox Evasion

3
T1497

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Data from Local System

15
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

6
T1102

Impact

Tasks

static1

azorultsocelars
Score
10/10

behavioral1

azorultcollectiondiscoveryinfostealerspywarestealersuricatatrojan
Score
10/10

behavioral2

azorultinfostealersuricatatrojan
Score
10/10

behavioral3

Score
1/10

behavioral4

spywarestealer
Score
7/10

behavioral5

Score
8/10

behavioral6

smokeloadersocelarsbackdoordiscoveryevasionpersistencespywarestealersuricatathemidatrojan
Score
10/10

behavioral7

Score
3/10

behavioral8

suricata
Score
10/10

behavioral9

discoveryevasionpersistencespywarestealerthemidatrojan
Score
9/10

behavioral10

discoveryevasionpersistencespywarestealerthemidatrojan
Score
9/10

behavioral11

Score
8/10

behavioral12

Score
8/10

behavioral13

Score
1/10

behavioral14

spywarestealer
Score
10/10

behavioral15

socelarsdiscoveryspywarestealer
Score
10/10

behavioral16

socelarsspywarestealer
Score
10/10

behavioral17

suricata
Score
10/10

behavioral18

suricata
Score
10/10

behavioral19

spywarestealer
Score
7/10

behavioral20

evasionspywarestealertrojan
Score
7/10

behavioral21

smokeloaderbackdoortrojan
Score
10/10

behavioral22

smokeloaderbackdoortrojan
Score
10/10

behavioral23

Score
6/10

behavioral24

Score
6/10

behavioral25

azorultinfostealersuricatatrojan
Score
10/10

behavioral26

azorultsmokeloaderbackdoordiscoveryevasioninfostealerpersistencespywarestealersuricatathemidatrojan
Score
10/10