General

  • Target

    813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46

  • Size

    5.6MB

  • Sample

    241108-2egzgazraz

  • MD5

    1ab8e9466413375989338a656ebfee8b

  • SHA1

    cb52e10ff74952328cba42eb283c4a578fe61456

  • SHA256

    813d32b014bcf87216f8af360cdf257ccdbc2080f9dbd0924fe40753d0b84f46

  • SHA512

    291c43f38b47cb63a9ec42962703550c5d5c645aa424d0ed897a78d1aaf0054292e29fd78475aa0061579657ae498b41a9ac858647d6556bf6d5390c3abd1970

  • SSDEEP

    98304:iVMjWGH1V+k0VvkKCDKqb1oBQtOCg+r2Gw5YCF5BWt5wa0CP1KG5JGz:V7Hb+vkKCDKqb1QIO4wY1tSwSz

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

ffdroider

C2

http://186.2.171.3

Extracted

Family

gcleaner

C2

194.145.227.161

Extracted

Family

privateloader

C2

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

31.210.20.251

Targets

    • Target

      keygen-pr.exe

    • Size

      1.7MB

    • MD5

      65b49b106ec0f6cf61e7dc04c0a7eb74

    • SHA1

      a1f4784377c53151167965e0ff225f5085ebd43b

    • SHA256

      862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

    • SHA512

      e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

    • SSDEEP

      49152:Apala5CynDWWmQm2qUhwLlwKeHqDDyz1v/1:AOHynDWWNPqM5KEr1

    Score
    3/10
    • Target

      keygen-step-1.exe

    • Size

      112KB

    • MD5

      c615d0bfa727f494fee9ecb3f0acf563

    • SHA1

      6c3509ae64abc299a7afa13552c4fe430071f087

    • SHA256

      95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

    • SHA512

      d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

    • SSDEEP

      3072:KExRaX6raoCoCyz6/mqv1JR+yBtGOeaeWgiZq:faZ1tme++wio

    • Target

      keygen-step-3.exe

    • Size

      873KB

    • MD5

      265cadde82b0c66dc39ad2d9ee800754

    • SHA1

      2e9604eade6951d5a5b4a44bee1281e32166f395

    • SHA256

      40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a

    • SHA512

      c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

    • SSDEEP

      12288:8jCwd+3hwSk5EYjUpfRNHpU1/QQ21fg7n7rOQm1/EMKK9kE8D2sMJnKhUGis5smD:8jC53hATU3NWSq7n7ry3Z62vn4b5HAl

    Score
    7/10
    • Deletes itself

    • Executes dropped EXE

    • Target

      keygen-step-4.exe

    • Size

      3.4MB

    • MD5

      6fc4f2d665aa1aae0a56ebd4cc6227a7

    • SHA1

      1b998ceba86cd9b87dbbf464fca3008bc5c725ea

    • SHA256

      77acd936a5bd8eb9ae70ca4ac75e5159df48324273baae60854b6fbc412d36d7

    • SHA512

      67048ad418bd35e30671b76951f149e81be58d94e6cbcff4cdc01f19b3bf0ca64103c59451efbf5e519e95a9a126df561ff559f7ee4cc263bfc501e6d0fa5f4e

    • SSDEEP

      98304:SKqyUiTtG/saMpSQwnQXl8LSZ8Z56DXXuDUVJqDI6AHZQTg9:S8usaMpuQXl8LSk5mX4iJBfQs9

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

    • FFDroider payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Ffdroider family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • OnlyLogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      keygen-step-6.exe

    • Size

      267KB

    • MD5

      093bc5ebd2d2a39d84c1d35fbd2d9efa

    • SHA1

      e028ca17fe2c7cbf7ad234b28cd50ad2c7c440e5

    • SHA256

      ee2994ea7f202516db816f85f23aac0a13ec32743d0555f81d68568bb40f4811

    • SHA512

      da58e87b099d520f02715ffcf6b50e2a586b6baec5b64d5ee39fb4c4a81ee9b8c18c8e341ee8befcf9048088661d7f182a937a7948aacfac926f1710fa77bcfa

    • SSDEEP

      3072:zj2TWGwUnHdJzhuM67W+ZkYhvchGk9ICkxu1yxWjznBSGZBcPmSa1eTNlhWJYZoi:zGWinH8MvGKy8cP1WT/VHWpdN

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      keygen.bat

    • Size

      149B

    • MD5

      0b2622826dd00820d5725440efd7d5f4

    • SHA1

      0a9f8675e9b39a984267d402449a7f2291edfb17

    • SHA256

      82723c93594b47e60cc855d7d113a09763bb4636330ff44bbbb949eb0fdcf54f

    • SHA512

      9f2ffa1065e7eeeda6a139ba1d85465cbb56a9be1419c90e599e604fc718244fc8b77b2bc46bbf3abba36e985b543c72d1e154e2d2d615c8519a9379e94804f3

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Azorult family

    • Detect Fabookie payload

    • FFDroider

      Stealer targeting social media platform users first seen in April 2022.

    • FFDroider payload

    • Fabookie

      Fabookie is facebook account info stealer.

    • Fabookie family

    • Ffdroider family

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

    • Gcleaner family

    • OnlyLogger

      A tiny loader that uses IPLogger to get its payload.

    • Onlylogger family

    • Pony family

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • OnlyLogger payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

azorult
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

azorultdiscoveryinfostealertrojan
Score
10/10

behavioral4

azorultdiscoveryinfostealertrojan
Score
10/10

behavioral5

discovery
Score
7/10

behavioral6

discovery
Score
7/10

behavioral7

fabookieffdroidergcleaneronlyloggerprivateloaderdiscoveryloaderspywarestealer
Score
10/10

behavioral8

fabookieffdroidergcleaneronlyloggerdiscoveryevasionloaderspywarestealertrojan
Score
10/10

behavioral9

discovery
Score
7/10

behavioral10

discovery
Score
7/10

behavioral11

azorultfabookieffdroidergcleaneronlyloggerponycollectioncredential_accessdiscoveryinfostealerloaderratspywarestealertrojan
Score
10/10

behavioral12

azorultfabookieffdroidergcleaneronlyloggerponycollectioncredential_accessdiscoveryevasioninfostealerloaderratspywarestealertrojan
Score
10/10