General
-
Target
Adobe_Muse_CC_2021_v1_1_keygen.exe
-
Size
9.0MB
-
Sample
221009-thkwjahdbl
-
MD5
b57044855b730ecea59ee1455063d43c
-
SHA1
3f3972b03e12f916f718e5d9634508dba4313917
-
SHA256
8eb2ee3b32676cfa3e863a95a7f868c7382783f0e9339c36a4318feba84ffe3e
-
SHA512
6aea14f4fb0494071f0fa80bd5c75c9758aaae5d5fd3f813d7ae78adb8ca9f791cebb39363ffe5d09af323b67e3285da85664189424950ac7461f9c9f295cea5
-
SSDEEP
196608:JrPqZ3OId9cLfyRCC6LHgkts8gimtyaL0yHRV2xySi9KN1hpeEXUciu/Yfjd2PVL:Jeeu9cLvC6LUsm9vyxySaKNpeDJB+Qi
Static task
static1
Behavioral task
behavioral1
Sample
Adobe_Muse_CC_2021_v1_1_keygen.exe
Resource
win10-20220812-en
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
pony
http://www.oldhorse.info
Extracted
redline
newmixtelka1
lanalannnal.xyz:81
-
auth_value
3d31022b1c6ed0ab22adcb5b15b7bf72
Extracted
redline
cccaac
15.235.171.56:30730
-
auth_value
4812657b86bdaa5e76896478d967e199
Targets
-
-
Target
Adobe_Muse_CC_2021_v1_1_keygen.exe
-
Size
9.0MB
-
MD5
b57044855b730ecea59ee1455063d43c
-
SHA1
3f3972b03e12f916f718e5d9634508dba4313917
-
SHA256
8eb2ee3b32676cfa3e863a95a7f868c7382783f0e9339c36a4318feba84ffe3e
-
SHA512
6aea14f4fb0494071f0fa80bd5c75c9758aaae5d5fd3f813d7ae78adb8ca9f791cebb39363ffe5d09af323b67e3285da85664189424950ac7461f9c9f295cea5
-
SSDEEP
196608:JrPqZ3OId9cLfyRCC6LHgkts8gimtyaL0yHRV2xySi9KN1hpeEXUciu/Yfjd2PVL:Jeeu9cLvC6LUsm9vyxySaKNpeDJB+Qi
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-