azorult

General

Target

Adobe_Acrobat_9_0_keygen_by_KeyGenLion.exe
Size

13.4MB
Sample

221024-r51t6ahce3
MD5

96d0fc9f221427bcc2f3cd5d09d0ed30
SHA1

7df10221e1a966eeaf8ad9fdc39f80aef66b07e3
SHA256

a967bbf66ed0a06d023355baa1b7f467339ce3cfb019ef4a0a7f141feb00069f
SHA512

72aeb6b0e5ea7368aadfde9f3ac3b5a43250c14884ad0b134ba78d39b6e1c8d7aee6381651928e018c9a84a90492d31b9be55382f973b6ac0cd32b501dc2bb4c
SSDEEP

196608:di3fQRw0t1C8sHMu/BM8xu5CqYwTdKSajh3lqA5hIObGkYos6F/p:nnns//K8xu5CpQ4FcA5h/ykdFp

Score

10^/10

Malware Config

Extracted

Family

azorult

C2

http://domcomp.info/1210776429.php

Extracted

Family

raccoon

Botnet

0963961b6efd711f927db2b31f7bcc38

C2

http://51.79.211.202

rc4.plain

Extracted

Family

socelars

C2

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Targets

- Target
  
  Adobe_Acrobat_9_0_keygen_by_KeyGenLion.exe
- Size
  
  13.4MB
- MD5
  
  96d0fc9f221427bcc2f3cd5d09d0ed30
- SHA1
  
  7df10221e1a966eeaf8ad9fdc39f80aef66b07e3
- SHA256
  
  a967bbf66ed0a06d023355baa1b7f467339ce3cfb019ef4a0a7f141feb00069f
- SHA512
  
  72aeb6b0e5ea7368aadfde9f3ac3b5a43250c14884ad0b134ba78d39b6e1c8d7aee6381651928e018c9a84a90492d31b9be55382f973b6ac0cd32b501dc2bb4c
- SSDEEP
  
  196608:di3fQRw0t1C8sHMu/BM8xu5CqYwTdKSajh3lqA5hIObGkYos6F/p:nnns//K8xu5CpQ4FcA5h/ykdFp
Score

10^/10

azorult raccoon socelars 0963961b6efd711f927db2b31f7bcc38 collection discovery infostealer spyware stealer trojan vmprotect
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Socelars
  Socelars is an infostealer targeting browser cookies and credit card credentials.
  stealer socelars
- Socelars payload
- Downloads MZ/PE file
- Executes dropped EXE
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1