Overview

overview

10

Static

static

3

Cisco_VPN_...ru.zip

windows10-ltsc 2021-x64

10

Cisco_VPN_...ru.zip

windows10-ltsc 2021-x64

1

Cisco_VPN_...ru.exe

windows10-ltsc 2021-x64

1

FILE_ID.diz

windows10-ltsc 2021-x64

3

Password.HERE.jpg

windows10-ltsc 2021-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Cisco_VPN_Client_v5_0_07_keygen_by_KeyGenGuru.zip

  • Size

    7.2MB

  • Sample

    241221-rdlads1len

  • MD5

    fa920b6cffc985e71a9a7921b42ecb84

  • SHA1

    24f4e6e3daa9d60cb249cda22d046ddd64056af1

  • SHA256

    b8d1e274e76cd0e9ff78de57afe85f28b9d79620745c36dde51f5867039ce49f

  • SHA512

    6b3be5bb452636bcc5516454aef23860e46f432e19caefa1093ed8bfe2a6fa6b68ea94edb7d405993b82a1eb82b1056dc6e6070a5fda728e9dcca0e9199ed0e1

  • SSDEEP

    196608:GIeZHNhnaNOgD0rNWfu1LwGxLlrkoaAsHpS:GIeZHNhu0rggdxLZNuA

Score
10/10
azorultponycollectioncredential_accessdiscoveryinfostealerratspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://upqx.ru/1210776429.php

Targets

    • Target

      Cisco_VPN_Client_v5_0_07_keygen_by_KeyGenGuru.zip

    • Size

      7.2MB

    • MD5

      fa920b6cffc985e71a9a7921b42ecb84

    • SHA1

      24f4e6e3daa9d60cb249cda22d046ddd64056af1

    • SHA256

      b8d1e274e76cd0e9ff78de57afe85f28b9d79620745c36dde51f5867039ce49f

    • SHA512

      6b3be5bb452636bcc5516454aef23860e46f432e19caefa1093ed8bfe2a6fa6b68ea94edb7d405993b82a1eb82b1056dc6e6070a5fda728e9dcca0e9199ed0e1

    • SSDEEP

      196608:GIeZHNhnaNOgD0rNWfu1LwGxLlrkoaAsHpS:GIeZHNhu0rggdxLZNuA

    Score
    10/10
    azorultponycollectioncredential_accessdiscoveryinfostealerratspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Azorult family

      azorult

    • Pony family

      pony

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook accounts

      collection

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1

    • Target

      Cisco_VPN_Client_v5_0_07_keygen_by_KeyGenGuru.zip

    • Size

      7.2MB

    • MD5

      d8921169fee349f9e70a294901d59ffb

    • SHA1

      cf45c1d9b230ed7464596c24b8db099fe6cc9359

    • SHA256

      af66ad74e9a3367191ad63919581995407706f28c45d8379f50da494ff724fd5

    • SHA512

      b0c16d4b7b22361b70d94135a65d0284367791f3919237d2abd90688393f4378133baa4e88cafec3ebf9c467596019088b26931a971475e6c27ebee4742c63ec

    • SSDEEP

      196608:FIeZHNhnaNOgD0rNWfu1LwGxLlrkoaAsHpS:FIeZHNhu0rggdxLZNug

    Score
    1/10
    behavioral2

    • Target

      Cisco_VPN_Client_v5_0_07_keygen_by_KeyGenGuru.exe

    • Size

      7.4MB

    • MD5

      985a830153c1ffe009a634b0b041c919

    • SHA1

      6761313463d3f3174ddfbe2dc32e4596bea44594

    • SHA256

      2a12d2607a06e86780d8f8514c4dd122ad364f42a9fdde5378bd0da4708c3d3a

    • SHA512

      5c07df35119ff549713e3648ed9fbbb798db226544b9a616589ad7f0ce7be213884f72ac2999fa246c514a44726d2e36995ed2fdf39c47dcfaa8e5de76251ff5

    • SSDEEP

      196608:ehcoA1/WuwMmahoCsAlHhsoiLqu+dxytXom/GBuSPE1WKM:jo8VXhoCsArsoiyOXoT3

    Score
    1/10
    behavioral3

    • Target

      FILE_ID.DIZ

    • Size

      53B

    • MD5

      d963dd9f9689dea88801545ae9f1dd44

    • SHA1

      0d921c3a12c4673c0b4fae59fdca66524daa6a8c

    • SHA256

      db0b438e2f1c1f0e84bf6b51ecf1e93bdd3315e123b3adafc7a4e9f8f3914525

    • SHA512

      4c0008cae96d8f5662418127b0c34053a866050702e0a4983fa14e530f151ddd532c6a8476ecd8acd58ad6610ac096bdfe3b904e6d13e2ed76e0d808d4d5ffd1

    Score
    3/10
    behavioral4

    • Target

      Password.HERE.jpeg

    • Size

      2KB

    • MD5

      b49a7202fb4a6cde0d9d8d4b933a7b76

    • SHA1

      ac1f52da6f92d6588fb9813756a0190a7f167bd3

    • SHA256

      ff5026d2e6a35f58170d6c0d12789682d800f29cf95e37da7e1af339a674924d

    • SHA512

      6154c87492fdb5c61dd65caecf40ba56c509ff358c815e7de05608bdc1ea46ec5b049161edc1ada837e6f979883871b661aeb73459388330c61f89bf33da3f5c

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral5

MITRE ATT&CK Enterprise v15

Tasks