Overview

overview

10

Static

static

e4649c5b45...21.exe

windows7_x64

10

e4649c5b45...21.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221.exe

  • Size

    1.0MB

  • Sample

    211114-abrwqaffc9

  • MD5

    a3cc781be4a0cc75f14ce69b59f8c99f

  • SHA1

    9c13ea485984c9e75196c4d0bd871b1b7dc72017

  • SHA256

    e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

  • SHA512

    bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

Score
10/10
azorultoskiraccoon7632dffeb03da57edca98c8bfb2611868e8eb0a7discoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

7632dffeb03da57edca98c8bfb2611868e8eb0a7

Attributes
  • url4cnc

    http://91.219.236.162/brikitiki

    http://185.163.47.176/brikitiki

    http://193.38.54.238/brikitiki

    http://74.119.192.122/brikitiki

    http://91.219.236.240/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

colonna.ac.ug

Targets

    • Target

      e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221.exe

    • Size

      1.0MB

    • MD5

      a3cc781be4a0cc75f14ce69b59f8c99f

    • SHA1

      9c13ea485984c9e75196c4d0bd871b1b7dc72017

    • SHA256

      e4649c5b452d75aa2cdfdb8bffed9dd6c558d3cb1225c877bf570abb7b106221

    • SHA512

      bb9f6115dac6d1001f5223c9a8d00c7c2b3865d7e9f99bad773df52d188e93282547ea37e496d987f3243c2445afaefe76b7e4849c2eb09bd73ba9ea21e23430

    Score
    10/10
    azorultoskiraccoon7632dffeb03da57edca98c8bfb2611868e8eb0a7discoveryinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks