General

  • Target

    Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion(1).zip

  • Size

    15.4MB

  • Sample

    220930-ys6m7sfehn

  • MD5

    6b32513ff7534ab5163af7201c25a99c

  • SHA1

    1497ef6fffaae6d17d69b330654ff3adfd21a004

  • SHA256

    ea21176ce1adc715a5938555f127b9bb397aa05f62f389ac0bd02f1f8b449370

  • SHA512

    30b7e6e4330795544da2104f3bbdd8a75b29f74b7e76d1384ad4f09acf446e6aad77194086cc27be6b7c7f56eb05bc65279f372425a488a6b7865700efd7e73a

  • SSDEEP

    196608:PlV/6EW9w4/iNtBqu/kuWqDr7ocW0FIQEHtLMpaHMgnuthehoT7XuXxLxazXQAHi:X/Db46NtwuRWII3HtL/HxnutVI+lAr

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

Ust

C2

15.235.171.56:30730

Attributes
  • auth_value

    8d3bb431e9d30f7506bd612688374540

Extracted

Family

socelars

C2

https://dfgrthres.s3.eu-west-3.amazonaws.com/fdgds919/

Extracted

Family

raccoon

Botnet

2bf587c1de64cf778a678dab58c61d3c

C2

http://89.185.85.53/

rc4.plain

Extracted

Family

nymaim

C2

208.67.104.97

85.31.46.167

Targets

    • Target

      Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.zip

    • Size

      15.4MB

    • MD5

      6106aafdee20ef85dca9f9442f3635bc

    • SHA1

      ae3b85c2a386e742ae48e5269caad195b50e9dca

    • SHA256

      0455c1b10a9b777abee084a32955325334b4063d23e44c35d7b83962a979ccfa

    • SHA512

      40d0e66477cc32ac245caad4d437731dbbd44feaaa58dc8ac7e7dbc0c977bf3d271044146053c8b455be3be3d7a21b0cd545163cf68f758686eb48046fcea184

    • SSDEEP

      196608:7lV/6EW9w4/iNtBqu/kuWqDr7ocW0FIQEHtLMpaHMgnuthehoT7XuXxLxazXQAH2:D/Db46NtwuRWII3HtL/HxnutVI+lAL

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe

    • Size

      15.5MB

    • MD5

      10d3d31d5947d450f0032afd9a959aaf

    • SHA1

      2f69473e05a64fdc1057280e4b456a79cecbd834

    • SHA256

      ca088abf9c8391811b62b0f22f09ea485130012320b1e1da65bcb8ab7034713e

    • SHA512

      b01cad01355e73cd904ed80c94b308d844ee6990ef21528d397e1ab9088b3124ed6e1d5ca2964b907ea1ca2f31af028faa8c4ce43bc5b71260c91eb137338894

    • SSDEEP

      393216:0YdrXTk08ALp6r764yddhjR1aIeGQkraLyv:XdrDkR764ypjja4raLe

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • NyMaim

      NyMaim is a malware with various capabilities written in C++ and first seen in 2013.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Socelars

      Socelars is an infostealer targeting browser cookies and credit card credentials.

    • Socelars payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      FILE_ID.DIZ

    • Size

      60B

    • MD5

      54a89f6237f4bc3257ce50820b703d6c

    • SHA1

      8efc3c48171d9f7ca790fcaa9f9dcfd399b0331d

    • SHA256

      21b9eef3ed3d6be523cf01c4e2c6e6ad03159183092a880ce5315f7378b5e3ed

    • SHA512

      b7d32bb3ac19a83f578c3b46028565290cff304e37398836fb77f95f6f4b154790db4b0cd197cfd1835a110b47f740600d38e30fc8fefc94bb97da5ef4212e53

    Score
    3/10
    • Target

      Password.HERE.jpeg

    • Size

      2KB

    • MD5

      b364a2257ab7db077315e62596501546

    • SHA1

      71f6b6379f9e160eb67dbc6940d73b33d3f69b93

    • SHA256

      8884f7ba74500a91e09c20f279f2f97480efa450df10712ea3f46ec2c21836af

    • SHA512

      a7a27e46144784be164df45e37de36cbe28f8fd251c18c9c81c458c4a6450926690a0311933ac291bb8bf3d16acbe29ef215a2f49b637422a7bd318046668ced

    Score
    3/10

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

10
T1081

Discovery

Query Registry

7
T1012

System Information Discovery

9
T1082

Collection

Data from Local System

10
T1005

Email Collection

3
T1114

Command and Control

Web Service

1
T1102

Tasks