General

  • Target

    0AB9CD8D5F1DA2D03AB76DB5BE55DBBCB575EC0D8785D.exe

  • Size

    1.1MB

  • Sample

    211210-v4ahcsagar

  • MD5

    0f584671295bd312cf31fa8e938fd8b9

  • SHA1

    9d4874a26c587c3501324702ac609325c1b7087c

  • SHA256

    0ab9cd8d5f1da2d03ab76db5be55dbbcb575ec0d8785db3677366fab2eafd48e

  • SHA512

    6dc1192a9fe59533513637caea2335af047432598048f03ccd0478b3cf8ee73d214900fce0e18fb8508fb32a4412e73cd6ded3a9fda06ddb517a230c30adc734

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

5781468cedb3a203003fdf1f12e72fe98d6f1c0f

Attributes
  • url4cnc

    http://194.180.174.53/brikitiki

    http://91.219.236.18/brikitiki

    http://194.180.174.41/brikitiki

    http://91.219.236.148/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

prepepe.ac.ug

Targets

    • Target

      0AB9CD8D5F1DA2D03AB76DB5BE55DBBCB575EC0D8785D.exe

    • Size

      1.1MB

    • MD5

      0f584671295bd312cf31fa8e938fd8b9

    • SHA1

      9d4874a26c587c3501324702ac609325c1b7087c

    • SHA256

      0ab9cd8d5f1da2d03ab76db5be55dbbcb575ec0d8785db3677366fab2eafd48e

    • SHA512

      6dc1192a9fe59533513637caea2335af047432598048f03ccd0478b3cf8ee73d214900fce0e18fb8508fb32a4412e73cd6ded3a9fda06ddb517a230c30adc734

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

      suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M17

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M17

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

2
T1005

Tasks