azorult | dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
Size

1.8MB
MD5

92821d6dd83105f5f2d08c43f28fa309
SHA1

93c72e2494705509b56ca93cea2448aff098cb6d
SHA256

dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8
SHA512

47c3a27b5a9fa6273d779ed8afffeb2bbbecab6420708f0ca36629932e1d910e06297839ca39ec01fe7e975a52ed12aaa0e781f5112870e1b7621722e1808c08

Score

10^/10

azorult oski raccoon cf43f57ef5d1c064538f5f9d27891dc66c96dad8 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

nadia.ac.ug

Extracted

Family

raccoon

Botnet

cf43f57ef5d1c064538f5f9d27891dc66c96dad8

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/520-86-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

FVjhgtresfdbv.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exe

pid process

552 FVjhgtresfdbv.exe
1092 NHtrdsaghfDF.exe
1612 FVjhgtresfdbv.exe
536 NHtrdsaghfDF.exe

pid	process
552	FVjhgtresfdbv.exe
1092	NHtrdsaghfDF.exe
1612	FVjhgtresfdbv.exe
536	NHtrdsaghfDF.exe

Loads dropped DLL 11 IoCs

Processes:

dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exeWerFault.exe

pid	process
1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
552	FVjhgtresfdbv.exe
1092	NHtrdsaghfDF.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

FVjhgtresfdbv.exedc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeNHtrdsaghfDF.exe

description	pid	process	target process
PID 552 set thread context of 1612	552	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 1532 set thread context of 520	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
PID 1092 set thread context of 536	1092	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1072 1612 WerFault.exe FVjhgtresfdbv.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

FVjhgtresfdbv.exedc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeNHtrdsaghfDF.exe

pid process

552 FVjhgtresfdbv.exe
1532 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
1092 NHtrdsaghfDF.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exe

pid process

1532 dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
552 FVjhgtresfdbv.exe
1092 NHtrdsaghfDF.exe

pid	pid_target	process	target process
1072	1612	WerFault.exe	FVjhgtresfdbv.exe

pid	process
552	FVjhgtresfdbv.exe
1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
1092	NHtrdsaghfDF.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exeFVjhgtresfdbv.exeNHtrdsaghfDF.exeFVjhgtresfdbv.exe

description	pid	process	target process
PID 1532 wrote to memory of 552	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	FVjhgtresfdbv.exe
PID 1532 wrote to memory of 552	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	FVjhgtresfdbv.exe
PID 1532 wrote to memory of 552	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	FVjhgtresfdbv.exe
PID 1532 wrote to memory of 552	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	FVjhgtresfdbv.exe
PID 1532 wrote to memory of 1092	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	NHtrdsaghfDF.exe
PID 1532 wrote to memory of 1092	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	NHtrdsaghfDF.exe
PID 1532 wrote to memory of 1092	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	NHtrdsaghfDF.exe
PID 1532 wrote to memory of 1092	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	NHtrdsaghfDF.exe
PID 552 wrote to memory of 1612	552	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 552 wrote to memory of 1612	552	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 552 wrote to memory of 1612	552	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 552 wrote to memory of 1612	552	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 552 wrote to memory of 1612	552	FVjhgtresfdbv.exe	FVjhgtresfdbv.exe
PID 1532 wrote to memory of 520	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
PID 1532 wrote to memory of 520	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
PID 1532 wrote to memory of 520	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
PID 1532 wrote to memory of 520	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
PID 1532 wrote to memory of 520	1532	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe	dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
PID 1092 wrote to memory of 536	1092	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 1092 wrote to memory of 536	1092	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 1092 wrote to memory of 536	1092	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 1092 wrote to memory of 536	1092	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 1092 wrote to memory of 536	1092	NHtrdsaghfDF.exe	NHtrdsaghfDF.exe
PID 1612 wrote to memory of 1072	1612	FVjhgtresfdbv.exe	WerFault.exe
PID 1612 wrote to memory of 1072	1612	FVjhgtresfdbv.exe	WerFault.exe
PID 1612 wrote to memory of 1072	1612	FVjhgtresfdbv.exe	WerFault.exe
PID 1612 wrote to memory of 1072	1612	FVjhgtresfdbv.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
"C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
"C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 800
4⤵
- Loads dropped DLL
- Program crash
PID:1072

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
"C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe"
3⤵
- Executes dropped EXE
PID:536

C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe
"C:\Users\Admin\AppData\Local\Temp\dc3171271adef72e1faf51d68c3c76daaffa9f097ef6d51aa600c98f129209e8.exe"
2⤵
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
Filesize
492KB

MD5
35bccedd18360d94a33d86c09af8480c

SHA1
013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

SHA256
ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

SHA512
31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
Filesize
492KB

MD5
35bccedd18360d94a33d86c09af8480c

SHA1
013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

SHA256
ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

SHA512
31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
Filesize
492KB

MD5
35bccedd18360d94a33d86c09af8480c

SHA1
013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

SHA256
ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

SHA512
31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\FVjhgtresfdbv.exe
Filesize
540KB

MD5
385e5b97d97b89cacff3594eafeb0e5e

SHA1
70e73110860c36c83c504f4804e3cebde2a618a1

SHA256
7b02ca9b842110100cd0471c27498b46a2542507ffaee32086bdfa4fd9c736b3

SHA512
f83f175846b8b674e140fff442ba8958bceb63fba2cdc2ab6c2b1e047e6c0d22c3f0ce36c9fcf44c7f744099a44fe9f497494d4e2eb47579af133c1b3dc20d83

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
Filesize
492KB

MD5
35bccedd18360d94a33d86c09af8480c

SHA1
013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

SHA256
ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

SHA512
31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
Filesize
492KB

MD5
35bccedd18360d94a33d86c09af8480c

SHA1
013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

SHA256
ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

SHA512
31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

Download Submit
\Users\Admin\AppData\Local\Temp\NHtrdsaghfDF.exe
Filesize
492KB

MD5
35bccedd18360d94a33d86c09af8480c

SHA1
013ab842c5b2ded0a930fc3d4f59a13d3ff66dc0

SHA256
ede4a3065bf86d3c92312a291f9776c231f728a32d59dcb1621bee320855ad9f

SHA512
31611f22f437bd12a4536eab643f0bf06070c5fbaedae27fc0117f1a4afca1b52d2fbc16e1a77587a4d069448bf8f158c8bbff46cfefc5bc9eccafe5421abd6f

Download Submit
memory/520-75-0x000000000043FCC3-mapping.dmp

Download
memory/520-86-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/536-81-0x000000000041A684-mapping.dmp

Download
memory/536-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/552-77-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/552-59-0x0000000000000000-mapping.dmp

Download
memory/1072-87-0x0000000000000000-mapping.dmp

Download
memory/1092-66-0x0000000000000000-mapping.dmp

Download
memory/1532-56-0x0000000076241000-0x0000000076243000-memory.dmp

Filesize
8KB

Download
memory/1612-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-70-0x0000000000417A8B-mapping.dmp

Download