azorult | 50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6

General

Target

0ae0de96557c8b19cd5afe41809fcb77.exe
Size

1017KB
MD5

0ae0de96557c8b19cd5afe41809fcb77
SHA1

7103096815e873d2d232be82cbe0f947de1fd60b
SHA256

50cae11649a917039a3fadf933dcf5d724ce0db6fbe4d29cb0aa590896849ca6
SHA512

2e749b3f63a836156449c0adc9ab6cdd3755ec438432ca681f40b6e1cf66157a8ec813053b08c65540eaa9e09d211de5f562eaebdd4a7462696e1390fafaa9dd

Score

10^/10

azorult oski raccoon e46b687ebd2ee58509e772fb3a53ac789365d90b infostealer stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

e46b687ebd2ee58509e772fb3a53ac789365d90b

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

gfbrice.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Executes dropped EXE 4 IoCs

Processes:

bgfhFcvb.exebngfDFrev.exebgfhFcvb.exebngfDFrev.exe

pid process

3328 bgfhFcvb.exe
4052 bngfDFrev.exe
1404 bgfhFcvb.exe
3612 bngfDFrev.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exe

pid process

2504 0ae0de96557c8b19cd5afe41809fcb77.exe
2504 0ae0de96557c8b19cd5afe41809fcb77.exe
1404 bgfhFcvb.exe
1404 bgfhFcvb.exe
3612 bngfDFrev.exe

pid	process
3328	bgfhFcvb.exe
4052	bngfDFrev.exe
1404	bgfhFcvb.exe
3612	bngfDFrev.exe

pid	process
2504	0ae0de96557c8b19cd5afe41809fcb77.exe
2504	0ae0de96557c8b19cd5afe41809fcb77.exe
1404	bgfhFcvb.exe
1404	bgfhFcvb.exe
3612	bngfDFrev.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exe

description	pid	process	target process
PID 984 set thread context of 2504	984	0ae0de96557c8b19cd5afe41809fcb77.exe	0ae0de96557c8b19cd5afe41809fcb77.exe
PID 3328 set thread context of 1404	3328	bgfhFcvb.exe	bgfhFcvb.exe
PID 4052 set thread context of 3612	4052	bngfDFrev.exe	bngfDFrev.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exe

pid process

984 0ae0de96557c8b19cd5afe41809fcb77.exe
3328 bgfhFcvb.exe
4052 bngfDFrev.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exe

pid process

984 0ae0de96557c8b19cd5afe41809fcb77.exe
3328 bgfhFcvb.exe
4052 bngfDFrev.exe

pid	process
984	0ae0de96557c8b19cd5afe41809fcb77.exe
3328	bgfhFcvb.exe
4052	bngfDFrev.exe

pid	process
984	0ae0de96557c8b19cd5afe41809fcb77.exe
3328	bgfhFcvb.exe
4052	bngfDFrev.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0ae0de96557c8b19cd5afe41809fcb77.exebgfhFcvb.exebngfDFrev.exe

description	pid	process	target process
PID 984 wrote to memory of 3328	984	0ae0de96557c8b19cd5afe41809fcb77.exe	bgfhFcvb.exe
PID 984 wrote to memory of 3328	984	0ae0de96557c8b19cd5afe41809fcb77.exe	bgfhFcvb.exe
PID 984 wrote to memory of 3328	984	0ae0de96557c8b19cd5afe41809fcb77.exe	bgfhFcvb.exe
PID 984 wrote to memory of 4052	984	0ae0de96557c8b19cd5afe41809fcb77.exe	bngfDFrev.exe
PID 984 wrote to memory of 4052	984	0ae0de96557c8b19cd5afe41809fcb77.exe	bngfDFrev.exe
PID 984 wrote to memory of 4052	984	0ae0de96557c8b19cd5afe41809fcb77.exe	bngfDFrev.exe
PID 984 wrote to memory of 2504	984	0ae0de96557c8b19cd5afe41809fcb77.exe	0ae0de96557c8b19cd5afe41809fcb77.exe
PID 984 wrote to memory of 2504	984	0ae0de96557c8b19cd5afe41809fcb77.exe	0ae0de96557c8b19cd5afe41809fcb77.exe
PID 984 wrote to memory of 2504	984	0ae0de96557c8b19cd5afe41809fcb77.exe	0ae0de96557c8b19cd5afe41809fcb77.exe
PID 984 wrote to memory of 2504	984	0ae0de96557c8b19cd5afe41809fcb77.exe	0ae0de96557c8b19cd5afe41809fcb77.exe
PID 3328 wrote to memory of 1404	3328	bgfhFcvb.exe	bgfhFcvb.exe
PID 3328 wrote to memory of 1404	3328	bgfhFcvb.exe	bgfhFcvb.exe
PID 3328 wrote to memory of 1404	3328	bgfhFcvb.exe	bgfhFcvb.exe
PID 3328 wrote to memory of 1404	3328	bgfhFcvb.exe	bgfhFcvb.exe
PID 4052 wrote to memory of 3612	4052	bngfDFrev.exe	bngfDFrev.exe
PID 4052 wrote to memory of 3612	4052	bngfDFrev.exe	bngfDFrev.exe
PID 4052 wrote to memory of 3612	4052	bngfDFrev.exe	bngfDFrev.exe
PID 4052 wrote to memory of 3612	4052	bngfDFrev.exe	bngfDFrev.exe

C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe
"C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe
"C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3328

C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe
"C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1404

C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe
"C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe
"C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3612

C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe
"C:\Users\Admin\AppData\Local\Temp\0ae0de96557c8b19cd5afe41809fcb77.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe
MD5
034b19cb876079dbb221b6c7d22aabf5

SHA1
f88c8b816cb35822fdca705ff3a5e092a48adbb7

SHA256
6fa5518df102c05c34000950d4ae0daf7dc30ad34c70cb7bb98b6d382f5ced0d

SHA512
a93eba7f4829ba6d7ef4d1c1f7a54af2776a83091453e3971dc05621de747d9511e87197dcc06059dee22c08489af428f59a37a90c4efb9d22a43c1085ecda61

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe
MD5
034b19cb876079dbb221b6c7d22aabf5

SHA1
f88c8b816cb35822fdca705ff3a5e092a48adbb7

SHA256
6fa5518df102c05c34000950d4ae0daf7dc30ad34c70cb7bb98b6d382f5ced0d

SHA512
a93eba7f4829ba6d7ef4d1c1f7a54af2776a83091453e3971dc05621de747d9511e87197dcc06059dee22c08489af428f59a37a90c4efb9d22a43c1085ecda61

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgfhFcvb.exe
MD5
034b19cb876079dbb221b6c7d22aabf5

SHA1
f88c8b816cb35822fdca705ff3a5e092a48adbb7

SHA256
6fa5518df102c05c34000950d4ae0daf7dc30ad34c70cb7bb98b6d382f5ced0d

SHA512
a93eba7f4829ba6d7ef4d1c1f7a54af2776a83091453e3971dc05621de747d9511e87197dcc06059dee22c08489af428f59a37a90c4efb9d22a43c1085ecda61

Download Submit
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe
MD5
dc201e0fdd90efdd50b7acd42f0a64f9

SHA1
a1d216b54481a36636c50f1b14307e098da9a9b8

SHA256
f0ebc641ddd2dc42ada732ad2a685fd2c2fbd575ac9140f539ad72c642badfd8

SHA512
daf8cecc8600a08d1770339a64fd0805bf915dfa9f9dc3599b1bed1c7c031910a0aa18f974c639cde1395a1647069898d35acfd0e8f1253d854ee95fd4ea0ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe
MD5
dc201e0fdd90efdd50b7acd42f0a64f9

SHA1
a1d216b54481a36636c50f1b14307e098da9a9b8

SHA256
f0ebc641ddd2dc42ada732ad2a685fd2c2fbd575ac9140f539ad72c642badfd8

SHA512
daf8cecc8600a08d1770339a64fd0805bf915dfa9f9dc3599b1bed1c7c031910a0aa18f974c639cde1395a1647069898d35acfd0e8f1253d854ee95fd4ea0ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\bngfDFrev.exe
MD5
dc201e0fdd90efdd50b7acd42f0a64f9

SHA1
a1d216b54481a36636c50f1b14307e098da9a9b8

SHA256
f0ebc641ddd2dc42ada732ad2a685fd2c2fbd575ac9140f539ad72c642badfd8

SHA512
daf8cecc8600a08d1770339a64fd0805bf915dfa9f9dc3599b1bed1c7c031910a0aa18f974c639cde1395a1647069898d35acfd0e8f1253d854ee95fd4ea0ffe

Download Submit
memory/1404-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1404-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1404-18-0x000000000041A684-mapping.dmp

Download
memory/2504-15-0x000000000043FA56-mapping.dmp

Download
memory/2504-16-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/2504-14-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/3328-4-0x0000000000000000-mapping.dmp

Download
memory/3612-21-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3612-22-0x0000000000417A8B-mapping.dmp

Download
memory/3612-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4052-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads