Extracted

Extracted

• • Target

    intro.exe

  • Size

    144KB

  • MD5

    573a20aa042eede54472fb6140bdee70

  • SHA1

    3de8cba60af02e6c687f6312edcb176d897f7d81

  • SHA256

    2ecebded4848d7ebf8cfc435fafe324c593fe4acec71866730acecd50c1109c3

  • SHA512

    86e84be2d2b5548e72545bd374221dfa9940254cc1dcee016b52a2207c139bd0782ab712174c4dd7cfa49351360cfb124fe3bfbdd8ee45cd9ac735deb4864664

  • SSDEEP

    3072:JAJxsr//OHTE/CJ+juuVSpiVyzwLe/Nv0s:C3FJKuuV+lv0s

  Score

  1^/10
  behavioral1behavioral2

• • Target

    keygen-pr.exe

  • Size

    1.7MB

  • MD5

    65b49b106ec0f6cf61e7dc04c0a7eb74

  • SHA1

    a1f4784377c53151167965e0ff225f5085ebd43b

  • SHA256

    862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

  • SHA512

    e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

  • SSDEEP

    49152:Apala5CynDWWmQm2qUhwLlwKeHqDDyz1v/1:AOHynDWWNPqM5KEr1

  Score

  1^/10
  behavioral3behavioral4

• • Target

    keygen-step-1.exe

  • Size

    112KB

  • MD5

    c615d0bfa727f494fee9ecb3f0acf563

  • SHA1

    6c3509ae64abc299a7afa13552c4fe430071f087

  • SHA256

    95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

  • SHA512

    d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

  • SSDEEP

    3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZq:faZ1tme++wio

  Score

  10^/10

  azorultinfostealertrojan

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  behavioral5behavioral6

• • Target

    keygen-step-3.exe

  • Size

    677KB

  • MD5

    19f48cb45e4dcc1fe8470d5d76a16df4

  • SHA1

    586db9e14a24a0719db0c7ae15b8e7e4e328a80b

  • SHA256

    5971f27578f7a5d0f309a77148c431f78e6971cb0f1506c319432307471d3c80

  • SHA512

    09987d7cf6dcd7e16c7ab183947f5853dfc3a977777d237761fc94a5f7f6b19fa2ea9a3a532e7e090b4d85685528fbc1095c2854e35cbd9beafc385a7d898762

  • SSDEEP

    12288:UvIHCq2LGyiEdJWPRrMzIzZibsTj9MlvFF1QRpwPZn1WENRR9TqmLtWxTmO++NM:Ut5YRxUoTj9yvr1QRp4n1BRPTqHC+N

  Score

  7^/10

  • Deletes itself

  behavioral7behavioral8

• • Target

    keygen-step-4.exe

  • Size

    7.6MB

  • MD5

    1770a7731a4ea1030149e7f05cff1705

  • SHA1

    02868a443c1864bb0afbe0832545736bd538028f

  • SHA256

    3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092

  • SHA512

    eec736c11084a6a066c2767ebbd1d4f06b6cfb4524450ca19bd8f9c743725545c7559f45e03aa5287732be9d35dbd72e80dfbd4bcdb810abd70bfc5b2ac00fe7

  • SSDEEP

    196608:K90XryNC3HMcOrcX4MPIJe9A1eGL+pieBJPE11ExWR:1iUDX4MQwA1PCpiey11Z

  Score

  10^/10

  fabookieffdroiderbootkitevasionpersistencespywarestealertrojanupxdiscovery

  • Detect Fabookie payload

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops Chrome extension

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral10behavioral9

• • Target

    keygen.bat

  • Size

    146B

  • MD5

    98ee725f76d72ee9e9899a3fab9ba23b

  • SHA1

    45c34541a5b0aa0bb99043f6c39f49605ec4ebd8

  • SHA256

    ce6afc9a209c23efea91c9ce412abd19b882c1b3ac93fd26ed746eb05aebf2ff

  • SHA512

    369176b70962b18910fcbb876945873fcfb9bb251e845e3e601d38b38f3998c1808f45796be01eb5a6ccc585b2533bcf2c4d1d3e2fc63fd4fabba31e3b8c5b06

  Score

  10^/10

  azorultfabookieffdroiderponybootkitcollectiondiscoveryinfostealerpersistenceratspywarestealertrojanupxevasion

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Detect Fabookie payload

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • Detected Nirsoft tools

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Drops Chrome extension

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral11behavioral12

• • Target

    user32.dll

  • Size

    1.6MB

  • MD5

    634fbe95ea4ef2e799b3d117dd9ec52e

  • SHA1

    09533551abefbc922b87d1c2553329abd328c387

  • SHA256

    1ba4bc4f000dd9263307357ffa42d83eb01f59bf28aec16ef2eb74e24683412e

  • SHA512

    7d3857623c2d6806ed56e436fba2aa72ee57978ed8261894c3d7bb97a9f747d87866ca1dfaa2bc21ea22de1544fe7daf223565b7f16d894d02219ea9a690b7cf

  • SSDEEP

    24576:77hFCFHT0vzImKVsVzuJJBwuCx59U4IgL5pz1:P6STzwJBwuOTU4Ia1

  Score

  1^/10
  behavioral13