azorult

Target

4363463463464363463463463.zip.zip
Size

394KB
Sample

250414-r6mc6ayqx4
MD5

22872ef7f39c6c03422b358f867e69b7
SHA1

263dbd53bf3e6766a11e0a0ce896e708be807aa0
SHA256

12fce52d084a8c7efa638c88fa2307bca7c038a49fe566ebb05533cacf17efbd
SHA512

d26020b40e03a1bc7dff4d872c9421e07681e4bb4bbf9172f063be7d81b060686f1091dd2603de30ae600cae250e4a94cd3f2909e88e2e26b796771b8eb6b817
SSDEEP

12288:YGA+VQGlOa26BcdTJw3dzxdY4BAvcTCyY:YGfQGlg64NWv64AETI

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

82.193.104.21:5137

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Extracted

Family

stealc

Botnet

QLL

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

redline

Botnet

BUY TG @FATHEROFCARDERS

45.66.231.214:9932

Extracted

Family

lumma

https://p3ar11fter.sbs/api

https://3xp3cts1aim.sbs/api

https://owner-vacat10n.sbs/api

https://peepburry828.sbs/api

https://p10tgrace.sbs/api

https://befall-sm0ker.sbs/api

https://librari-night.sbs/api

https://processhol.sbs/api

https://push-hook.cyou/api

https://weiggheticulop.shop/api

https://consciousourwi.shop/api

https://southedhiscuso.shop/api

https://deicedosmzj.shop/api

https://cagedwifedsozm.shop/api

https://charecteristicdxp.shop/api

https://interactiedovspm.shop/api

https://potentioallykeos.shop/api

https://weaknessmznxo.shop/api

Extracted

Family

quasar

Version

1.4.1

Botnet

Nigga

yzs-42879.portmap.host:42879

Mutex

57d72303-b5e9-46aa-8cc4-9690809c1a9e

Attributes

encryption_key
F1EBDB1862062F9265C0B5AC4D02C76D026534D0
install_name
RuntimeBroker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
Temp

Extracted

Family

xworm

Version

5.0

applications-scenario.gl.at.ply.gg:53694

week-dictionary.gl.at.ply.gg:12466

Mutex

LkatwdFtbmAdPfGj

Attributes

Install_directory
%AppData%
install_file
Wave.exe

aes.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

quasar

Version

1.4.1

Botnet

DDNS

193.161.193.99:32471

Mutex

807f3187-d087-4fff-beff-e73293a32af8

Attributes

encryption_key
81A0C14D4C705B3C678E573C849DE7F6A3671A8B
install_name
jusched.exe
log_directory
CachedLogs
reconnect_delay
3000
startup_key
Java Update Scheduler
subdirectory
Java

Extracted

Family

stealc

Botnet

Line

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

lumma

https://zestmodp.top/zeda

https://jawdedmirror.run/ewqd

https://changeaie.top/geps

https://lonfgshadow.live/xawi

https://liftally.top/xasj

https://nighetwhisper.top/lekd

https://salaccgfa.top/gsooz

https://owlflright.digital/qopy

Extracted

Family

quasar

Version

1.4.0.0

Botnet

FakeCreal

espinyskibidi-40205.portmap.host:40205

Mutex

CdrjrrWbtRopP1ic7E

Attributes

encryption_key
HXEHSwyN1GHqlZUqunrd
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Client
subdirectory
Microsoft

Extracted

Family

quasar

Version

1.4.1

Botnet

21325

146.190.110.91:13000

Mutex

e5627e25-0d0e-4509-8b39-a3de07ba1545

Attributes

encryption_key
3B7163AA2D236AA40236BB7204ED370202AD4ABE
install_name
explorer.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftQuasUpdate
subdirectory
explorer

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.181.84:4782

Mutex

1ed20179-691a-4881-806d-c5d12340d8e9

Attributes

encryption_key
DF9BFB10D9C47294CB84A29DC07B28AE843D8C6F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Targets

- Target
  
  4363463463464363463463463.exe
- Size
  
  764KB
- MD5
  
  85e3d4ac5a6ef32fb93764c090ef32b7
- SHA1
  
  adedb0aab26d15cf96f66fda8b4cfbbdcc15ef52
- SHA256
  
  4e5cc8cb98584335400d00f0a0803c3e0202761f3fbe50bcab3858a80df255e1
- SHA512
  
  a7a037bde41bcd425be18a712e27a793185f7fde638e139bbd9d253c371cd9622385eda39cf91ab715ead2591cff5b8c9f5b31d903f138d8af7bab6a9001ccab
- SSDEEP
  
  12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ufbj:6nsJ39LyjbJkQFMhmC+6GD9mH
Score

10^/10

azorult dcrat lumma njrat phorphiex quasar redline stealc umbral xmrig xred xworm zharkbot 21325 buy tg @fatherofcarders ddns fakecreal hacked line nigga office04 qll backdoor botnet defense_evasion discovery execution infostealer loader miner persistence rat spyware stealer themida trojan upx worm
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Azorult family
  azorult
- DcRat
  DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
  rat infostealer dcrat
- Dcrat family
  dcrat
- Detect Umbral payload
- Detect Xworm Payload
- Detects ZharkBot payload
  ZharkBot is a botnet written C++.
- Lumma Stealer, LummaC
  Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
  stealer lumma
- Lumma family
  lumma
- Njrat family
  njrat
- Phorphiex family
  phorphiex
- Phorphiex payload
- Phorphiex, Phorpiex
  Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
  worm trojan loader phorphiex
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Stealc family
  stealc
- Umbral
  Umbral stealer is an opensource moduler stealer written in C#.
  stealer umbral
- Umbral family
  umbral
- XMRig Miner payload
  miner
- Xmrig family
  xmrig
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- ZharkBot
  ZharkBot is a botnet written C++.
  botnet zharkbot
- Zharkbot family
  zharkbot
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- DCRat payload
  Detects payload of DCRat, commonly dropped by NSIS installers.
  rat
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Modifies Windows Firewall
  defense_evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1