General
-
Target
F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru (1).zip
-
Size
4.8MB
-
Sample
241221-ratscs1kbs
-
MD5
fe5298a90bcdb0ccae76bdd89cbdefc7
-
SHA1
a0aede8fefa6d47a216f64d31b43ee698adeba3b
-
SHA256
6b0716c393a9ca8f45642d8294022c25781dfee1ccd83b1d04a66cadc519edf2
-
SHA512
c7e0669ae4f653a3f821c0efbdf1f5e27a3618b0dbb18feee245447a5ec2e82805c88b29f7601fb832309605ceb4b55720683149c32c055b3308b577c0772d3c
-
SSDEEP
98304:dpN88JZ7j5rAPOePa6xfYUR922GFuyVoFB2/7xqzA/fOF6GyAhfe9tAL3I9f:dpN88j7jRcTP7xfNc2GlkkNsjF6E1Etj
Malware Config
Extracted
azorult
http://upqx.ru/1210776429.php
Extracted
pony
http://top.regdnl.ru/bussin/gate.php
Targets
-
-
Target
F_Secure_VPN_Plus_v5_50_keygen_by_KeyGenGuru.exe
-
Size
4.9MB
-
MD5
510b4b10293559f94ef23cc1d85b106f
-
SHA1
1e006333dee51cb4ece00c55edea7645e9f492ce
-
SHA256
508b26909f773ce2d08f74451821ffae3645992ff6832db06a4f87acb988c3be
-
SHA512
d5cbf189be667012992c668e974d666d01691a74528cf0375b77a1aec6e8f7dc589764b738153fc52beebbbcfe3f3064779cea354dbc6eefbd60a37aa6a54ed8
-
SSDEEP
98304:ehSZcczCkoJA2I8ubb2b/Rf8jjaG/xN1rD4gVE6sV/TeLuBKkgO:ehS9CkoXIMqjJflD4gVGZeLpkT
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Azorult family
-
Pony family
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-