General
-
Target
9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0.lnk
-
Size
714KB
-
Sample
211231-l416msggg6
-
MD5
b3789a4c1d0df169bada833075932970
-
SHA1
05881931c6dd4eeecf1ef8d9c05dfc97796836d4
-
SHA256
9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0
-
SHA512
bc27b780dd7aeb5846a9e42ff52e66724d852753cce198bae9725cd8d5bd0c3cd8f66439f85081f639e2a012e1839121d7e17d0deffc4ca7e94b513290659b26
Static task
static1
Behavioral task
behavioral1
Sample
9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0.lnk
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0.lnk
Resource
win10-en-20211208
Malware Config
Extracted
http://timebound.ug/pps.ps1
Extracted
azorult
http://195.245.112.115/index.php
Extracted
oski
prepepe.ac.ug
Extracted
raccoon
1.8.3-hotfix
5781468cedb3a203003fdf1f12e72fe98d6f1c0f
-
url4cnc
http://194.180.174.53/brikitiki
http://91.219.236.18/brikitiki
http://194.180.174.41/brikitiki
http://91.219.236.148/brikitiki
https://t.me/brikitiki
Targets
-
-
Target
9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0.lnk
-
Size
714KB
-
MD5
b3789a4c1d0df169bada833075932970
-
SHA1
05881931c6dd4eeecf1ef8d9c05dfc97796836d4
-
SHA256
9cf343621bc7b969ea62575f37fbae16b760445b7e35dccd018d4c9900766ba0
-
SHA512
bc27b780dd7aeb5846a9e42ff52e66724d852753cce198bae9725cd8d5bd0c3cd8f66439f85081f639e2a012e1839121d7e17d0deffc4ca7e94b513290659b26
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-