General

  • Target

    93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c.exe

  • Size

    1.4MB

  • Sample

    210902-wmzatsbbh4

  • MD5

    b23d6c569893579789695f3d05accbe1

  • SHA1

    fa6b1d998500175e122de2c264869fda667bcd26

  • SHA256

    93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

  • SHA512

    e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

mazooyaar.ac.ug

Extracted

Family

raccoon

Botnet

43aae292cfe6f58a13bd7111bdd7d5ded5b23ec3

Attributes
  • url4cnc

    https://telete.in/brikitiki

rc4.plain
rc4.plain

Targets

    • Target

      93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c.exe

    • Size

      1.4MB

    • MD5

      b23d6c569893579789695f3d05accbe1

    • SHA1

      fa6b1d998500175e122de2c264869fda667bcd26

    • SHA256

      93ddf61c1aa7c0b867ffbd579b9febdeed4b027d14f8b86d62f7da493706731c

    • SHA512

      e816f5121406e32178afeabece8b63c4d773e183d18f705b5a884664013f0fe082830785c2c87913101c5c504a7a7ee60b9987d064c4e5624c681a3674a2e633

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

3
T1005

Tasks