8c4738459da1bc773ba4083bf60bd421ab41f9c7a457c05ab0385a0598d5db15

General

Target

Zorararara3.zip
Size

15.1MB
Sample

241012-ll7kpsydlm
MD5

16bea92281e4d42e3884f39d1abae157
SHA1

2d570b967b55ce93302e4cc6feea6c060ccc6b28
SHA256

8c4738459da1bc773ba4083bf60bd421ab41f9c7a457c05ab0385a0598d5db15
SHA512

1af280f8ef21832b703132407746287f54f4c4fba86bec86ee94c273e28078401ec181ea7867411960c1d9d53085edd4567aafdc7ad65362260f9f16ceb9246e
SSDEEP

393216:a+1w1giC0A7MpaPR5+aLQB9clhN4Sqlemy6NSFAS00Dh:lw1gii7MpkRhbfwT+A10Dh

Score

8^/10

Malware Config

Targets

- Target
  
  Zorara.dll
- Size
  
  11.9MB
- MD5
  
  81256be650931809232b7fffa2b6e28c
- SHA1
  
  3366ab9dc66b4555903c25da11ec5568f2627d71
- SHA256
  
  f1b5d7aa8ff67637b6f701e1321551f8b3378ab5cd1f47282daa619894b28522
- SHA512
  
  82a18f0422642cb6bdfbeb3fa42096ff3896a3f7eae59367e424c9814f9cec8151c59aae87c842f0b674aadd64f7fe9b40a21407593a90bd765ede6fd7f31042
- SSDEEP
  
  196608:svwMHc9UQ+cQKYVMGKV19DBP/w1xcQGP51Evkn0FQuEPSk:sJY2VaBPSYfSknCE
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1
- Target
  
  ZoraraUI.dll
- Size
  
  314KB
- MD5
  
  62deae01d17a7823f1f33360dc20271f
- SHA1
  
  f88128a71b817be945f2fa470f247ccd605d0a94
- SHA256
  
  8003489839930a08ceb817bbf9465e4505d39b4c64b8ffed7531d8655ba0ba30
- SHA512
  
  4bad1611fe3cfbb6e944a67e5cfa42331173b2e37911e5cf3a00ea7643c8cbbde83536a3760e63737598eb7cb230d725a97027cb4a2a53d94b645b074bdeb508
- SSDEEP
  
  3072:ldcElZm+ymBTmseCb7WZqmYwSKiIwOby6bdPmYwSKqIfV:LZmLmBasei7WIN8by6bdPN
Score

1^/10
behavioral2
- Target
  
  ZoraraUI.exe
- Size
  
  254KB
- MD5
  
  718d5c5e8e9688083a176b8460762df8
- SHA1
  
  adfe33da3e1c87f319aa653e9d315acf9aed7fc2
- SHA256
  
  56b9004d08e5c52155c52f72bdc05de9b0475b060a790f48af23f79f2f9f1106
- SHA512
  
  9068831b1c2c5f30b8768975c7f42d55bf062d4965f7fb46031204e958b0d73cee72a6dbfc6859151df80e9ec253ee78996563f9562ef6ba2cc659f2e71459fc
- SSDEEP
  
  3072:WjK4UGDHXrQ8hy7qgpHulWD9ZvZ5Pf3Ca10xuZ04ntfOBhBuhmYwSKgIwe:WjK4TDUqgpqWDLZ5H+xuZ04ihAhN
Score

8^/10

adware defense_evasion discovery persistence privilege_escalation stealer
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral3