Overview

overview

10

Static

static

C594188774...BE.exe

windows7_x64

10

C594188774...BE.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    C594188774A2D72B774ACA96EB096C493DBE5C9B599BE.exe

  • Size

    103KB

  • Sample

    211124-jspmcsfdb9

  • MD5

    f88740451956d87424b84326e9e9dde7

  • SHA1

    a0ccae106a243ad2b1d748512c3e6783b2dd2547

  • SHA256

    c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53

  • SHA512

    1760df8b84624fbde5b4e6447a030ce31e45bc23fb152c2a72c52b9f652283a5f3bb7557a85620943ddc3fff3c4b7071ae864783f3731c9aea390eaf7068aa06

Score
10/10
azorultoskiraccoon7632dffeb03da57edca98c8bfb2611868e8eb0a7discoveryinfostealerspywarestealertrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://bit.do/e33Br
exe.dropper

http://bit.do/e33Br

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

7632dffeb03da57edca98c8bfb2611868e8eb0a7

Attributes
  • url4cnc

    http://91.219.236.162/brikitiki

    http://185.163.47.176/brikitiki

    http://193.38.54.238/brikitiki

    http://74.119.192.122/brikitiki

    http://91.219.236.240/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

colonna.ac.ug

Targets

    • Target

      C594188774A2D72B774ACA96EB096C493DBE5C9B599BE.exe

    • Size

      103KB

    • MD5

      f88740451956d87424b84326e9e9dde7

    • SHA1

      a0ccae106a243ad2b1d748512c3e6783b2dd2547

    • SHA256

      c594188774a2d72b774aca96eb096c493dbe5c9b599bef4601ed404dfe2fab53

    • SHA512

      1760df8b84624fbde5b4e6447a030ce31e45bc23fb152c2a72c52b9f652283a5f3bb7557a85620943ddc3fff3c4b7071ae864783f3731c9aea390eaf7068aa06

    Score
    10/10
    azorultoskiraccoon7632dffeb03da57edca98c8bfb2611868e8eb0a7discoveryinfostealerspywarestealertrojanupx

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks