Extracted

Extracted

Extracted

Extracted

• • Target

    keygen-pr.exe

  • Size

    1.7MB

  • MD5

    65b49b106ec0f6cf61e7dc04c0a7eb74

  • SHA1

    a1f4784377c53151167965e0ff225f5085ebd43b

  • SHA256

    862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

  • SHA512

    e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

  • SSDEEP

    49152:Apala5CynDWWmQm2qUhwLlwKeHqDDyz1v/1:AOHynDWWNPqM5KEr1

  Score

  3^/10

  discovery
  behavioral1behavioral2

• • Target

    keygen-step-1.exe

  • Size

    112KB

  • MD5

    c615d0bfa727f494fee9ecb3f0acf563

  • SHA1

    6c3509ae64abc299a7afa13552c4fe430071f087

  • SHA256

    95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

  • SHA512

    d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

  • SSDEEP

    3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZq:faZ1tme++wio

  Score

  10^/10

  azorultdiscoveryinfostealertrojan

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Azorult family

    azorult
  behavioral3behavioral4

• • Target

    keygen-step-3.exe

  • Size

    873KB

  • MD5

    265cadde82b0c66dc39ad2d9ee800754

  • SHA1

    2e9604eade6951d5a5b4a44bee1281e32166f395

  • SHA256

    40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a

  • SHA512

    c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

  • SSDEEP

    12288:8jCwd+3hwSk5EYjUpfRNHpU1/QQ21fg7n7rOQm1/EMKK9kE8D2sMJnKhUGis5smD:8jC53hATU3NWSq7n7ry3Z62vn4b5HAl

  Score

  7^/10

  discovery

  • Deletes itself

  • Executes dropped EXE

  behavioral5behavioral6

• • Target

    keygen-step-4.exe

  • Size

    3.4MB

  • MD5

    6fc4f2d665aa1aae0a56ebd4cc6227a7

  • SHA1

    1b998ceba86cd9b87dbbf464fca3008bc5c725ea

  • SHA256

    77acd936a5bd8eb9ae70ca4ac75e5159df48324273baae60854b6fbc412d36d7

  • SHA512

    67048ad418bd35e30671b76951f149e81be58d94e6cbcff4cdc01f19b3bf0ca64103c59451efbf5e519e95a9a126df561ff559f7ee4cc263bfc501e6d0fa5f4e

  • SSDEEP

    98304:SKqyUiTtG/saMpSQwnQXl8LSZ8Z56DXXuDUVJqDI6AHZQTg9:S8usaMpuQXl8LSk5mX4iJBfQs9

  Score

  10^/10

  fabookieffdroidergcleaneronlyloggerprivateloaderdiscoveryloaderspywarestealerevasiontrojan

  • Detect Fabookie payload

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • FFDroider payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • Ffdroider family

    ffdroider

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Onlylogger family

    onlylogger

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader

  • Privateloader family

    privateloader

  • OnlyLogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral7behavioral8

• • Target

    keygen-step-6.exe

  • Size

    267KB

  • MD5

    093bc5ebd2d2a39d84c1d35fbd2d9efa

  • SHA1

    e028ca17fe2c7cbf7ad234b28cd50ad2c7c440e5

  • SHA256

    ee2994ea7f202516db816f85f23aac0a13ec32743d0555f81d68568bb40f4811

  • SHA512

    da58e87b099d520f02715ffcf6b50e2a586b6baec5b64d5ee39fb4c4a81ee9b8c18c8e341ee8befcf9048088661d7f182a937a7948aacfac926f1710fa77bcfa

  • SSDEEP

    3072:zj2TWGwUnHdJzhuM67W+ZkYhvchGk9ICkxu1yxWjznBSGZBcPmSa1eTNlhWJYZoi:zGWinH8MvGKy8cP1WT/VHWpdN

  Score

  7^/10

  discovery

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral10behavioral9

• • Target

    keygen.bat

  • Size

    149B

  • MD5

    0b2622826dd00820d5725440efd7d5f4

  • SHA1

    0a9f8675e9b39a984267d402449a7f2291edfb17

  • SHA256

    82723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f

  • SHA512

    9f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3

  Score

  10^/10

  azorultfabookieffdroidergcleaneronlyloggerponycollectioncredential_accessdiscoveryinfostealerloaderratspywarestealertrojanevasion

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult

  • Azorult family

    azorult

  • Detect Fabookie payload

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider

  • FFDroider payload

  • Fabookie

    Fabookie is facebook account info stealer.

    spywarestealerfabookie

  • Fabookie family

    fabookie

  • Ffdroider family

    ffdroider

  • GCleaner

    GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    loadergcleaner

  • Gcleaner family

    gcleaner

  • OnlyLogger

    A tiny loader that uses IPLogger to get its payload.

    loaderonlylogger

  • Onlylogger family

    onlylogger

  • Pony family

    pony

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony

  • OnlyLogger payload

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Unsecured Credentials: Credentials In Files

    Steal credentials from unsecured files.

    credential_accessstealer

  • Accesses Microsoft Outlook accounts

    collection

  • Accesses Microsoft Outlook profiles

    collection

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    evasiontrojan

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral11behavioral12