Overview

overview

10

Static

static

9cf343621b...a0.lnk

windows7_x64

10

9cf343621b...a0.lnk

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0.lnk

  • Size

    714KB

  • Sample

    211231-l416msggg6

  • MD5

    b3789a4c1d0df169bada833075932970

  • SHA1

    05881931c6dd4eeecf1ef8d9c05dfc97796836d4

  • SHA256

    9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0

  • SHA512

    bc27b780dd7aeb5846a9e42ff52e66724d852753cce198bae9725cd8d5bd0c3cd8f66439f85081f639e2a012e1839121d7e17d0deffc4ca7e94b513290659b26

Score
10/10
azorultoskiraccoon5781468cedb3a203003fdf1f12e72fe98d6f1c0fdiscoveryinfostealerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://timebound.ug/pps.ps1

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

prepepe.ac.ug

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

5781468cedb3a203003fdf1f12e72fe98d6f1c0f

Attributes
  • url4cnc

    http://194.180.174.53/brikitiki

    http://91.219.236.18/brikitiki

    http://194.180.174.41/brikitiki

    http://91.219.236.148/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Targets

    • Target

      9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0.lnk

    • Size

      714KB

    • MD5

      b3789a4c1d0df169bada833075932970

    • SHA1

      05881931c6dd4eeecf1ef8d9c05dfc97796836d4

    • SHA256

      9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0

    • SHA512

      bc27b780dd7aeb5846a9e42ff52e66724d852753cce198bae9725cd8d5bd0c3cd8f66439f85081f639e2a012e1839121d7e17d0deffc4ca7e94b513290659b26

    Score
    10/10
    azorultoskiraccoon5781468cedb3a203003fdf1f12e72fe98d6f1c0fdiscoveryinfostealerspywarestealertrojan

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

      infostealeroski

    • Raccoon

      Simple but powerful infostealer which was very active in 2019.

      stealerraccoon

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks