General
-
Target
tmp
-
Size
868KB
-
Sample
220308-qfcwcshhdm
-
MD5
f9af0046085177c4ae153bd1eacde3e8
-
SHA1
4f6fe60cd9bb7644cb30003799aa97e8e3947b0c
-
SHA256
857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
-
SHA512
f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
oski
pretorian.ug
Extracted
azorult
http://195.245.112.115/index.php
Extracted
raccoon
125d9f8ed76e486f6563be097a710bd4cba7f7f2
-
url4cnc
http://5.252.178.180/brikitiki
https://t.me/brikitiki
Targets
-
-
Target
tmp
-
Size
868KB
-
MD5
f9af0046085177c4ae153bd1eacde3e8
-
SHA1
4f6fe60cd9bb7644cb30003799aa97e8e3947b0c
-
SHA256
857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
-
SHA512
f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt) M2
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (passwords.txt) M2
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
-
ModiLoader First Stage
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-