General
-
Target
8181e5485c8c252628092084f37bd275eddc66d86d03bb07d149203be5e8a611
-
Size
760KB
-
Sample
220324-ck1lbsfhhn
-
MD5
2c4b3dd8eb91365645b88f763fa962f4
-
SHA1
17330e2274533cee442669dadbd0be43beb3887a
-
SHA256
8181e5485c8c252628092084f37bd275eddc66d86d03bb07d149203be5e8a611
-
SHA512
98a99702a528724136ef60a331e5741e0ccccdba86f20801a0c898104c3156bf0852097786cdbff481a9d924dd7711a8bf4c3d5012d76cf3864fa8b6363546a5
Static task
static1
Behavioral task
behavioral1
Sample
8181e5485c8c252628092084f37bd275eddc66d86d03bb07d149203be5e8a611.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
raccoon
125d9f8ed76e486f6563be097a710bd4cba7f7f2
-
url4cnc
http://5.252.178.180/brikitiki
https://t.me/brikitiki
Extracted
arkei
Default
http://62.204.41.69/p8jG9WvgbE.php
Extracted
azorult
http://195.245.112.115/index.php
Targets
-
-
Target
8181e5485c8c252628092084f37bd275eddc66d86d03bb07d149203be5e8a611
-
Size
760KB
-
MD5
2c4b3dd8eb91365645b88f763fa962f4
-
SHA1
17330e2274533cee442669dadbd0be43beb3887a
-
SHA256
8181e5485c8c252628092084f37bd275eddc66d86d03bb07d149203be5e8a611
-
SHA512
98a99702a528724136ef60a331e5741e0ccccdba86f20801a0c898104c3156bf0852097786cdbff481a9d924dd7711a8bf4c3d5012d76cf3864fa8b6363546a5
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
-
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
-
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-