General
-
Target
BookletCreator.v1.4.keygen.by.orion.exe
-
Size
16.4MB
-
Sample
220925-hnl51aehen
-
MD5
6142633864870e6797ad77499f596f5d
-
SHA1
87b9b85c6871449a92dfc0882c8d1ecec48c579a
-
SHA256
8c9e2676a1a4fb3c147b277ed5366e0697361f734fe63c668ab3625bc35a870c
-
SHA512
610cb8306d76260968bcb24e6bbd4dc557b0f2921d2ae07722d47a2e0f3a6887cfd99aa59caccf409fd3ba8261831046f36c10661b50ea502c0d1ec1db49fbfd
-
SSDEEP
393216:nDYcRsuBbPVVk8cJcDQ/9AveVU/75hYzynSD/JvxQMngO:n0cRsu7m8+PluZ/VCWg3QUh
Static task
static1
Behavioral task
behavioral1
Sample
BookletCreator.v1.4.keygen.by.orion.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
redline
Vinmat
15.235.171.56:30730
-
auth_value
699eda832e48220d3d26a9458dee1daa
Extracted
socelars
https://dfgrthres.s3.eu-west-3.amazonaws.com/fdgds919/
Extracted
raccoon
681eba47078319b9f76eff3159c0ff86
http://94.131.97.33/
http://45.67.229.149/
Extracted
vidar
54.6
915
https://t.me/huobiinside
https://mas.to/@kyriazhs1975
-
profile_id
915
Extracted
nymaim
208.67.104.97
85.31.46.167
Targets
-
-
Target
BookletCreator.v1.4.keygen.by.orion.exe
-
Size
16.4MB
-
MD5
6142633864870e6797ad77499f596f5d
-
SHA1
87b9b85c6871449a92dfc0882c8d1ecec48c579a
-
SHA256
8c9e2676a1a4fb3c147b277ed5366e0697361f734fe63c668ab3625bc35a870c
-
SHA512
610cb8306d76260968bcb24e6bbd4dc557b0f2921d2ae07722d47a2e0f3a6887cfd99aa59caccf409fd3ba8261831046f36c10661b50ea502c0d1ec1db49fbfd
-
SSDEEP
393216:nDYcRsuBbPVVk8cJcDQ/9AveVU/75hYzynSD/JvxQMngO:n0cRsu7m8+PluZ/VCWg3QUh
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-