Overview

overview

10

Static

static

10

keygen-pr.exe

windows7-x64

3

keygen-pr.exe

windows10-2004-x64

3

keygen-step-1.exe

windows7-x64

10

keygen-step-1.exe

windows10-2004-x64

10

keygen-step-3.exe

windows7-x64

7

keygen-step-3.exe

windows10-2004-x64

7

keygen-step-4.exe

windows7-x64

10

keygen-step-4.exe

windows10-2004-x64

10

keygen-step-5.exe

windows7-x64

7

keygen-step-5.exe

windows10-2004-x64

7

keygen-step-6.exe

windows7-x64

7

keygen-step-6.exe

windows10-2004-x64

7

keygen.bat

windows7-x64

10

keygen.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    798c35cdaf9d1be6b57310091bc555d2935ff8fdbe20eae5282986ea178c3348

  • Size

    6.5MB

  • Sample

    241105-j8qvcsycrp

  • MD5

    7f472773e0cf6265ba2a0a6e0587c9a0

  • SHA1

    0d7b05617304bb3a00c700b7f699454c3aa995fa

  • SHA256

    798c35cdaf9d1be6b57310091bc555d2935ff8fdbe20eae5282986ea178c3348

  • SHA512

    04e21e84aec75f282bf60189913469e89b63ce26d30260db3c64001e057b84bb9aff8405f53c9ce804822982ea71f6c9deeac09866cf6134c927129543575394

  • SSDEEP

    98304:9aIpWnNam/PwmFACX5pBUcMzDuBVG5Hc+ZPytj0kGLsfGdY4HGcc1nXmMB4lB/Lq:QIpWN2CLecIT40kEY4mb9G/L2RTp

Score
10/10
azorultffdroiderponycollectioncredential_accessdiscoveryevasioninfostealerratspywarestealertrojanvmprotect

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

ffdroider

C2

http://186.2.171.3

Targets

    • Target

      keygen-pr.exe

    • Size

      1.7MB

    • MD5

      65b49b106ec0f6cf61e7dc04c0a7eb74

    • SHA1

      a1f4784377c53151167965e0ff225f5085ebd43b

    • SHA256

      862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

    • SHA512

      e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

    • SSDEEP

      49152:Apala5CynDWWmQm2qUhwLlwKeHqDDyz1v/1:AOHynDWWNPqM5KEr1

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    • SSDEEP

      3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZq:faZ1tme++wio

    Score
    10/10
    azorultdiscoveryinfostealertrojan
    behavioral3behavioral4

    • Target

      keygen-step-3.exe

    • Size

      869KB

    • MD5

      f51bfbbc86931dbc96c6b4be4b4c3659

    • SHA1

      9befbb82364dbc2f09afc9dedd4caeedc9434515

    • SHA256

      059cd9bb3ad74aa7d4a7720c03e07114e89f770dd76523f56febd95f408b8cd3

    • SHA512

      15da6cdaa3aca5abb7f06b6b49d6f1fdc20726c3dbaae832050a066cf0aa588fc344fceca23f3309bd4d158b46651eb2b0ef6c3e42381ac4d01634a3b8bd61ac

    • SSDEEP

      24576:mV3TJTgieFtoQjNfh9FaXASi9i3kRha7cYWc:mV31Eby6fjs3kRha5W

    Score
    7/10
    discovery

    • Deletes itself

    • Executes dropped EXE

    behavioral5behavioral6

    • Target

      keygen-step-4.exe

    • Size

      2.4MB

    • MD5

      2ee9fd7fd5b40b30130679f4117664fe

    • SHA1

      0d7e6b6119c8c0129973792f203b9cd81a6fed89

    • SHA256

      d9fb3bd2fb13d72036461c87ed6dac9d05d316a574bb7b4e44c4ac76519a578d

    • SHA512

      1d66b9cb930f16e8d417f6aa18881c182ab8526c83425741b12ff46ef74fb411155aa6818aaab827146e5a20c76ceba6f8e42b6b7dcfe0cacea14fbd6fe6dd97

    • SSDEEP

      49152:Sunqy/yencuHj4WI03kPMPP4e2dlIObjo5RfksOlzdvU9ohducXFjZT:SKqynHSirP4LRskLdM9cdu4h9

    Score
    10/10
    ffdroiderdiscoveryspywarestealervmprotectevasiontrojan

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • Ffdroider family

      ffdroider

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      keygen-step-5.exe

    • Size

      1.9MB

    • MD5

      3b7a3bba78f866019d4addccffcf3942

    • SHA1

      a1a467cc72b2b0b5678aed806435ab4e4f3a232e

    • SHA256

      c9022d72e11ce317a5edd37195ac5e7aac341e1df29792f04d2c181eac6dea1b

    • SHA512

      86978fd7b9f92338c6328494c00032b400ce596952df266b3123ed949ef7324708ae03927739c4686efdb89727f8e0a89147a6367bb3485290ba84ef9406c469

    • SSDEEP

      24576:q9qFtP8Q12rlO5Onp6iMsKmLYcX7Kx6BPLNtszaEvxAirQuPZY88PDR3YWff8yP0:N1clGWIiSmVOEBwzacxAir/RYBDu/3uw

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral9

    • Target

      keygen-step-6.exe

    • Size

      248KB

    • MD5

      1a4d0807e2bfc6217e8ccdd1909111a2

    • SHA1

      eefc705d2ad689bd3aea4466cbcaebdb649d2f99

    • SHA256

      96b32cf057284f68cfca119a9560954ee76f9a7f7634e545c15d9b3b70566bbb

    • SHA512

      9845bcecdc54212da2c4db48b8cdeac23f433186d7809919c71db8c54edae5fbeb1ef1f50bfdde34ef41fe0eeea59ec7eb60bf46ad209a80aec4263ae9bcabcc

    • SSDEEP

      6144:0HCyQXDsXB89crVEtKsv8sg+UrUDJAnnni8VPhNtj/t6pHt:0HCyQQRfrVET8sg+TDqnnnhNLtjViHt

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral11behavioral12

    • Target

      keygen.bat

    • Size

      175B

    • MD5

      96969f73ab2c8e4be632cdbd0ead0760

    • SHA1

      6f9a163ba4f938b063d24cd966af9b5abd8434fd

    • SHA256

      04c2002de2cb5022e9c3b9325216ce74847f74166aa702eff6df01067930b49e

    • SHA512

      261588c1e0a026be6ef3d35df77f52a5dc693c181be08d6c13110b59694497ec024fd751c54d3ca004312c02abb32c72ef61b824750eeccfe61c7f263ba1cab2

    Score
    10/10
    azorultffdroiderponycollectioncredential_accessdiscoveryinfostealerratspywarestealertrojanvmprotectevasion

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • FFDroider payload

    • Ffdroider family

      ffdroider

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Query Registry

3
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks