Overview

overview

10

Static

static

10

keygen-pr.exe

windows7-x64

3

keygen-pr.exe

windows10-2004-x64

3

keygen-step-1.exe

windows7-x64

10

keygen-step-1.exe

windows10-2004-x64

10

keygen-step-3.exe

windows7-x64

3

keygen-step-3.exe

windows10-2004-x64

3

keygen-step-4.exe

windows7-x64

10

keygen-step-4.exe

windows10-2004-x64

10

keygen.bat

windows7-x64

10

keygen.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209

  • Size

    8.7MB

  • Sample

    241106-qqjfws1cmd

  • MD5

    439e00a52e27f2a9c653cb58031277c3

  • SHA1

    3d96d6337c31d0345a85ceae45bebf15d26ea695

  • SHA256

    4470d04e7ddfe73366faf06ccbf50904961fe2999f4c8c23be35b820b6036209

  • SHA512

    4bc57dbda7e07d3a4b8e957bcdcdb5d5e8dfe7b34a23cb4ead4781423dc5922bc2a8ccf9c8b6b6e2c8689aca6f52fdca67b17ca5c94f236e86cba2cf009a4866

  • SSDEEP

    196608:OtSgx3x7QhNt2YaqJxdGNQrbZ2WSV8g1CL3B3I2G9n4:Ngx3xMh/2yxkaS8iw9IN2

Score
10/10
azorultfabookieffdroiderponybootkitcollectioncredential_accessdiscoveryevasioninfostealerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

ffdroider

C2

http://101.36.107.74

Targets

    • Target

      keygen-pr.exe

    • Size

      1.7MB

    • MD5

      65b49b106ec0f6cf61e7dc04c0a7eb74

    • SHA1

      a1f4784377c53151167965e0ff225f5085ebd43b

    • SHA256

      862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

    • SHA512

      e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

    • SSDEEP

      49152:Apala5CynDWWmQm2qUhwLlwKeHqDDyz1v/1:AOHynDWWNPqM5KEr1

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    • SSDEEP

      3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZq:faZ1tme++wio

    Score
    10/10
    azorultdiscoveryinfostealertrojan
    behavioral3behavioral4

    • Target

      keygen-step-3.exe

    • Size

      704KB

    • MD5

      62d2a07135884c5c8ff742c904fddf56

    • SHA1

      46ce1f7fdf8b4cb2abe479efd5f352db9728a40b

    • SHA256

      a12fee020eb54a0f012545074c689893113d130498d9ad411d5852c786770b81

    • SHA512

      19c4dc3558308052bb13f71ca633ab05d55d57b68fc240fcc6d06e583fa61c5ccea87ef0f8196acc19b37d87deb42e5c204a2a05fce63f1accaf9e39c219f519

    • SSDEEP

      12288:KfC3M1/PxU2j5btJRIQrdLG7PHa8JVJ/MM5MSoMPr6XrRZ04gxTmg+O:MBrhtbxa7PHLJj/MM5MgPGbRZ0lN+

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      keygen-step-4.exe

    • Size

      6.8MB

    • MD5

      38f1d6ddf7e39767157acbb107e03250

    • SHA1

      dcb0d5feacb80c1e4cbb71a30cff7edf10a185e8

    • SHA256

      97ada84ef77a3b45abd2e14caf519e06bbbad5a6ed180aa6ee543e38e9bce796

    • SHA512

      3ba909b5001a3b995ebe8f9dbd4ddb6506a5c66612cf43e94a50f72c543a9aa4828bbba224db807de10076c5e70fabf7cc31bf8e442a3f4cf26d95c7f7094c2d

    • SSDEEP

      196608:KL/vpHgjhQujt++Oln4e8/8M6QwoiwNyEGcsmZ1v5:QAjhQuolI/xZwE5Z1v5

    Score
    10/10
    fabookieffdroiderbootkitdiscoverypersistencespywarestealerupxevasiontrojan

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      keygen.bat

    • Size

      123B

    • MD5

      f2632c204f883c59805093720dfe5a78

    • SHA1

      c96e3aa03805a84fec3ea4208104a25a2a9d037e

    • SHA256

      f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68

    • SHA512

      5a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2

    Score
    10/10
    azorultfabookieffdroiderbootkitdiscoveryevasioninfostealerpersistencespywarestealertrojanupxponycollectioncredential_accessrat

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

      stealerffdroider

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Fabookie family

      fabookie

    • Ffdroider family

      ffdroider

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

4
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

2
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks