Overview

overview

10

Static

static

d40e6b3f44...55.exe

windows7_x64

10

d40e6b3f44...55.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255.exe

  • Size

    1.1MB

  • Sample

    211103-aczmyscgh3

  • MD5

    2df827a178fcfa149a64046339868665

  • SHA1

    13a09e2dcd38a2466428692b884cd0873f3563f1

  • SHA256

    d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

  • SHA512

    9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

Score
10/10
azorultoskiraccoon32365171a31c4583d6e3b7aad1690e41cefc38ebdiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

raccoon

Botnet

32365171a31c4583d6e3b7aad1690e41cefc38eb

Attributes
  • url4cnc

    http://telegalive.top/brikitiki

    http://toptelete.top/brikitiki

    http://telegraf.top/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

colonna.ac.ug

Targets

    • Target

      d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255.exe

    • Size

      1.1MB

    • MD5

      2df827a178fcfa149a64046339868665

    • SHA1

      13a09e2dcd38a2466428692b884cd0873f3563f1

    • SHA256

      d40e6b3f445ecc817cb70bf8778f4997b9dafd604b962206a49b33a8db157255

    • SHA512

      9c38bd4a5a7aaf989b2e7278eed90040a26ca5bcda6404727a906b723a0847c96286472035e80a6f8c58a2eaa64f80810fb9fd2f704ea1cfc21ad41f24457c9b

    Score
    10/10
    azorultoskiraccoon32365171a31c4583d6e3b7aad1690e41cefc38ebdiscoveryinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks