azorult | 857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d

General

Target

zxcv.exe
Size

868KB
MD5

f9af0046085177c4ae153bd1eacde3e8
SHA1

4f6fe60cd9bb7644cb30003799aa97e8e3947b0c
SHA256

857fc01da428dccc15e996c5e737eda4148df3676c987a4416c5bb0768ce982d
SHA512

f2f828a8a99d54d6757a51060e1665b2146afccf5b5fa529db691ce761b49c8a170b19a692ed7b32c550eee5b5697fdb67f85c5db260047506f7368c81a1fcee

Score

10^/10

azorult oski raccoon 125d9f8ed76e486f6563be097a710bd4cba7f7f2 infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

oski

C2

pretorian.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

125d9f8ed76e486f6563be097a710bd4cba7f7f2

Attributes

url4cnc
http://5.252.178.180/brikitiki

https://t.me/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata: ET MALWARE Win32.Raccoon Stealer - Telegram Mirror Checkin (generic)
suricata
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M13
suricata

Executes dropped EXE 4 IoCs

pid	Process
4380	Dbvsdfe.exe
4804	dfgasdme.exe
968	Dbvsdfe.exe
2364	dfgasdme.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation	zxcv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4380 set thread context of 968	4380	Dbvsdfe.exe	83
PID 3052 set thread context of 3616	3052	zxcv.exe	84
PID 4804 set thread context of 2364	4804	dfgasdme.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4308	968	WerFault.exe	83

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4380	Dbvsdfe.exe
3052	zxcv.exe
4804	dfgasdme.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3052	zxcv.exe
4380	Dbvsdfe.exe
4804	dfgasdme.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4380	3052	zxcv.exe	80
PID 3052 wrote to memory of 4380	3052	zxcv.exe	80
PID 3052 wrote to memory of 4380	3052	zxcv.exe	80
PID 3052 wrote to memory of 4804	3052	zxcv.exe	81
PID 3052 wrote to memory of 4804	3052	zxcv.exe	81
PID 3052 wrote to memory of 4804	3052	zxcv.exe	81
PID 4380 wrote to memory of 968	4380	Dbvsdfe.exe	83
PID 4380 wrote to memory of 968	4380	Dbvsdfe.exe	83
PID 4380 wrote to memory of 968	4380	Dbvsdfe.exe	83
PID 4380 wrote to memory of 968	4380	Dbvsdfe.exe	83
PID 3052 wrote to memory of 3616	3052	zxcv.exe	84
PID 3052 wrote to memory of 3616	3052	zxcv.exe	84
PID 3052 wrote to memory of 3616	3052	zxcv.exe	84
PID 3052 wrote to memory of 3616	3052	zxcv.exe	84
PID 4804 wrote to memory of 2364	4804	dfgasdme.exe	85
PID 4804 wrote to memory of 2364	4804	dfgasdme.exe	85
PID 4804 wrote to memory of 2364	4804	dfgasdme.exe	85
PID 4804 wrote to memory of 2364	4804	dfgasdme.exe	85

C:\Users\Admin\AppData\Local\Temp\zxcv.exe
"C:\Users\Admin\AppData\Local\Temp\zxcv.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
  "C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe
    "C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe"
    3⤵
    - Executes dropped EXE
    PID:968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 1332
      4⤵
      Program crash
      PID:4308
- C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
  "C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe
    "C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe"
    3⤵
    - Executes dropped EXE
    PID:2364
- C:\Users\Admin\AppData\Local\Temp\zxcv.exe
  "C:\Users\Admin\AppData\Local\Temp\zxcv.exe"
  2⤵
  PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 968 -ip 968
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Filesize
212KB

MD5
3466dbd3779c31dc2fccfe73e6d6a44e

SHA1
9e3b082853d4b3b1dd1a0e4877ee4763a02c3171

SHA256
58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4

SHA512
4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Filesize
212KB

MD5
3466dbd3779c31dc2fccfe73e6d6a44e

SHA1
9e3b082853d4b3b1dd1a0e4877ee4763a02c3171

SHA256
58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4

SHA512
4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dbvsdfe.exe

Filesize
212KB

MD5
3466dbd3779c31dc2fccfe73e6d6a44e

SHA1
9e3b082853d4b3b1dd1a0e4877ee4763a02c3171

SHA256
58dedea111e322e46e115f2344c5685224004c0ebac9ab1cfba88c3105e4e5d4

SHA512
4f75e9095685f6bf3a570cd437cf9251b586ab95c7b3135750efa611d347bd4b816ba1525e08fd7776dadb03d62dbc01b9f6c8d0ba5b59d0ad2b5bf2052b67b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

Filesize
164KB

MD5
bead6aca8d274c82140361874ca95b59

SHA1
33d6cade432ebc63043170e1a8b049f51b093e59

SHA256
5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388

SHA512
293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

Filesize
164KB

MD5
bead6aca8d274c82140361874ca95b59

SHA1
33d6cade432ebc63043170e1a8b049f51b093e59

SHA256
5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388

SHA512
293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfgasdme.exe

Filesize
164KB

MD5
bead6aca8d274c82140361874ca95b59

SHA1
33d6cade432ebc63043170e1a8b049f51b093e59

SHA256
5820149ad3c898bdc7b9cf0ff98648f32192c9c5da5914aa1ae1cbe8a915c388

SHA512
293c616ca82744b34bd2ee389314de7b0fd05cc2e7d02aac08da7c11c1c201f9c026bcc66ee51d5bd0f9ee6d20660a50a9db19ca217479366ceb68d7d159eda8

Download Submit
memory/968-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2364-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3616-144-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4380-139-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads