azorult

General

Target

zxcv.EXE
Size

868KB
Sample

220404-eg2qbseefj
MD5

f9af0046085177c4ae153bd1eacde3e8
SHA1

4f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256

857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512

f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee

Score

10^/10

Malware Config

Extracted

Family

oski

C2

pretorian.ug

Extracted

Family

raccoon

Botnet

125d9f8ed76e486f6563be097a710bd4cba7f7f2

Attributes

url4cnc
http://5.252.178.180/brikitiki

https://t.me/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

- Target
  
  zxcv.EXE
- Size
  
  868KB
- MD5
  
  f9af0046085177c4ae153bd1eacde3e8
- SHA1
  
  4f6fe60cd9bb7644cb30003799aa97e8e3947b0c
- SHA256
  
  857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
- SHA512
  
  f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee
Score

10^/10

azorult oski raccoon 125d9f8ed76e486f6563be097a710bd4cba7f7f2 infostealer spyware stealer suricata trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Oski
  Oski is an infostealer targeting browser data, crypto wallets.
  infostealer oski
- Raccoon
  Simple but powerful infostealer which was very active in 2019.
  stealer raccoon
- suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
  suricata
- suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
  suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
  suricata
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
  suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
  suricata
- suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
  suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6
  suricata
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Oski

Raccoon

suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13

suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M6

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2