Overview
overview
10Static
static
Adobe_Phot...on.zip
windows7-x64
10Adobe_Phot...on.zip
windows10-2004-x64
1Adobe_Phot...on.exe
windows7-x64
10Adobe_Phot...on.exe
windows10-2004-x64
10FILE_ID.diz
windows7-x64
3FILE_ID.diz
windows10-2004-x64
3Password.HERE.jpg
windows7-x64
3Password.HERE.jpg
windows10-2004-x64
3General
-
Target
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion(1).zip
-
Size
15.4MB
-
Sample
220930-ys6m7sfehn
-
MD5
6b32513ff7534ab5163af7201c25a99c
-
SHA1
1497ef6fffaae6d17d69b330654ff3adfd21a004
-
SHA256
ea21176ce1adc715a5938555f127b9bb397aa05f62f389ac0bd02f1f8b449370
-
SHA512
30b7e6e4330795544da2104f3bbdd8a75b29f74b7e76d1384ad4f09acf446e6aad77194086cc27be6b7c7f56eb05bc65279f372425a488a6b7865700efd7e73a
-
SSDEEP
196608:PlV/6EW9w4/iNtBqu/kuWqDr7ocW0FIQEHtLMpaHMgnuthehoT7XuXxLxazXQAHi:X/Db46NtwuRWII3HtL/HxnutVI+lAr
Static task
static1
Behavioral task
behavioral1
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.zip
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.zip
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
FILE_ID.diz
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
FILE_ID.diz
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
Password.HERE.jpg
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
Password.HERE.jpg
Resource
win10v2004-20220812-en
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
redline
Ust
15.235.171.56:30730
-
auth_value
8d3bb431e9d30f7506bd612688374540
Extracted
socelars
https://dfgrthres.s3.eu-west-3.amazonaws.com/fdgds919/
Extracted
raccoon
2bf587c1de64cf778a678dab58c61d3c
http://89.185.85.53/
Extracted
nymaim
208.67.104.97
85.31.46.167
Targets
-
-
Target
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.zip
-
Size
15.4MB
-
MD5
6106aafdee20ef85dca9f9442f3635bc
-
SHA1
ae3b85c2a386e742ae48e5269caad195b50e9dca
-
SHA256
0455c1b10a9b777abee084a32955325334b4063d23e44c35d7b83962a979ccfa
-
SHA512
40d0e66477cc32ac245caad4d437731dbbd44feaaa58dc8ac7e7dbc0c977bf3d271044146053c8b455be3be3d7a21b0cd545163cf68f758686eb48046fcea184
-
SSDEEP
196608:7lV/6EW9w4/iNtBqu/kuWqDr7ocW0FIQEHtLMpaHMgnuthehoT7XuXxLxazXQAH2:D/Db46NtwuRWII3HtL/HxnutVI+lAL
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe
-
Size
15.5MB
-
MD5
10d3d31d5947d450f0032afd9a959aaf
-
SHA1
2f69473e05a64fdc1057280e4b456a79cecbd834
-
SHA256
ca088abf9c8391811b62b0f22f09ea485130012320b1e1da65bcb8ab7034713e
-
SHA512
b01cad01355e73cd904ed80c94b308d844ee6990ef21528d397e1ab9088b3124ed6e1d5ca2964b907ea1ca2f31af028faa8c4ce43bc5b71260c91eb137338894
-
SSDEEP
393216:0YdrXTk08ALp6r764yddhjR1aIeGQkraLyv:XdrDkR764ypjja4raLe
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Socelars payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
FILE_ID.DIZ
-
Size
60B
-
MD5
54a89f6237f4bc3257ce50820b703d6c
-
SHA1
8efc3c48171d9f7ca790fcaa9f9dcfd399b0331d
-
SHA256
21b9eef3ed3d6be523cf01c4e2c6e6ad03159183092a880ce5315f7378b5e3ed
-
SHA512
b7d32bb3ac19a83f578c3b46028565290cff304e37398836fb77f95f6f4b154790db4b0cd197cfd1835a110b47f740600d38e30fc8fefc94bb97da5ef4212e53
Score3/10 -
-
-
Target
Password.HERE.jpeg
-
Size
2KB
-
MD5
b364a2257ab7db077315e62596501546
-
SHA1
71f6b6379f9e160eb67dbc6940d73b33d3f69b93
-
SHA256
8884f7ba74500a91e09c20f279f2f97480efa450df10712ea3f46ec2c21836af
-
SHA512
a7a27e46144784be164df45e37de36cbe28f8fd251c18c9c81c458c4a6450926690a0311933ac291bb8bf3d16acbe29ef215a2f49b637422a7bd318046668ced
Score3/10 -