azorult

General

Target

618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
Size

2.9MB
Sample

211008-mc2tjadhen
MD5

b6841e1bdebcb206e38123af2ba3254c
SHA1

0e3928f6de38d4b2d0badb245d1516721712b330
SHA256

618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
SHA512

7d1c3670b8b3a3b911620949816e58103e827f4cd8318dceb1b513591e13485ccc131229709df04daae608b2f83369d90132f49095c0a9043f17e565ece0279d

Score

10^/10

Malware Config

Extracted

Family

raccoon

Version

1.8.2

Botnet

728e62b0300799f2a8741c39a71a1543c6759e8d

Attributes

url4cnc
http://teletop.top/brikitiki
http://teleta.top/brikitiki
https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

scarsa.ac.ug

Targets

- Target
  
  618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
- Size
  
  2.9MB
- MD5
  
  b6841e1bdebcb206e38123af2ba3254c
- SHA1
  
  0e3928f6de38d4b2d0badb245d1516721712b330
- SHA256
  
  618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
- SHA512
  
  7d1c3670b8b3a3b911620949816e58103e827f4cd8318dceb1b513591e13485ccc131229709df04daae608b2f83369d90132f49095c0a9043f17e565ece0279d
Score

10^/10

azorult oski raccoon 728e62b0300799f2a8741c39a71a1543c6759e8d collection discovery infostealer persistence spyware stealer suricata trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
  suricata
- suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
  suricata
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
  suricata
- suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
  suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
  suricata
- suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
  suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
  suricata
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
  suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
  suricata
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads data files stored by FTP clients
  Tries to access configuration files associated with programs like FileZilla.
  spyware stealer
- Reads local data of messenger clients
  Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
  spyware stealer
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Accesses Microsoft Outlook profiles
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1