General
-
Target
Adobe_Acrobat_9_0_keygen_by_KeyGenLion.exe
-
Size
13.4MB
-
Sample
221024-r51t6ahce3
-
MD5
96d0fc9f221427bcc2f3cd5d09d0ed30
-
SHA1
7df10221e1a966eeaf8ad9fdc39f80aef66b07e3
-
SHA256
a967bbf66ed0a06d023355baa1b7f467339ce3cfb019ef4a0a7f141feb00069f
-
SHA512
72aeb6b0e5ea7368aadfde9f3ac3b5a43250c14884ad0b134ba78d39b6e1c8d7aee6381651928e018c9a84a90492d31b9be55382f973b6ac0cd32b501dc2bb4c
-
SSDEEP
196608:di3fQRw0t1C8sHMu/BM8xu5CqYwTdKSajh3lqA5hIObGkYos6F/p:nnns//K8xu5CpQ4FcA5h/ykdFp
Static task
static1
Behavioral task
behavioral1
Sample
Adobe_Acrobat_9_0_keygen_by_KeyGenLion.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
azorult
http://domcomp.info/1210776429.php
Extracted
raccoon
0963961b6efd711f927db2b31f7bcc38
http://51.79.211.202
Extracted
socelars
https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/
Targets
-
-
Target
Adobe_Acrobat_9_0_keygen_by_KeyGenLion.exe
-
Size
13.4MB
-
MD5
96d0fc9f221427bcc2f3cd5d09d0ed30
-
SHA1
7df10221e1a966eeaf8ad9fdc39f80aef66b07e3
-
SHA256
a967bbf66ed0a06d023355baa1b7f467339ce3cfb019ef4a0a7f141feb00069f
-
SHA512
72aeb6b0e5ea7368aadfde9f3ac3b5a43250c14884ad0b134ba78d39b6e1c8d7aee6381651928e018c9a84a90492d31b9be55382f973b6ac0cd32b501dc2bb4c
-
SSDEEP
196608:di3fQRw0t1C8sHMu/BM8xu5CqYwTdKSajh3lqA5hIObGkYos6F/p:nnns//K8xu5CpQ4FcA5h/ykdFp
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Socelars payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-