azorult | fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493

General

Target

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
Size

1.0MB
MD5

1d14c938c3dc37a1e53ffa556b22d177
SHA1

d212b0d999e33da5994d3966e4bcbb369b1c7289
SHA256

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493
SHA512

816370cd07c7c04fd6a113c2ebb8fa878d7b4df186101e5bd337bc1f931c292d9d72c7cd6c2895c17be612c79d5ab5a56a848407a8072a25f2817f98c1bac176

Score

10^/10

azorult oski raccoon d58ee081e4d259676e5c18189c82f5356e64ec30 infostealer spyware stealer trojan

Malware Config

Extracted

Family

oski

C2

courtneysdv.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

d58ee081e4d259676e5c18189c82f5356e64ec30

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3628-150-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

CVhffgrdDFbv.exezVhgfgjbnv.exeCVhffgrdDFbv.exezVhgfgjbnv.exe

pid process

2552 CVhffgrdDFbv.exe
3124 zVhgfgjbnv.exe
4044 CVhffgrdDFbv.exe
4888 zVhgfgjbnv.exe

pid	process
2552	CVhffgrdDFbv.exe
3124	zVhgfgjbnv.exe
4044	CVhffgrdDFbv.exe
4888	zVhgfgjbnv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

CVhffgrdDFbv.exefccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exezVhgfgjbnv.exe

pid	process
4044	CVhffgrdDFbv.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
4044	CVhffgrdDFbv.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exe

description	pid	process	target process
PID 4016 set thread context of 3628	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
PID 2552 set thread context of 4044	2552	CVhffgrdDFbv.exe	CVhffgrdDFbv.exe
PID 3124 set thread context of 4888	3124	zVhgfgjbnv.exe	zVhgfgjbnv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4752 4888 WerFault.exe zVhgfgjbnv.exe

pid	pid_target	process	target process
4752	4888	WerFault.exe	zVhgfgjbnv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exezVhgfgjbnv.exe

pid	process
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
4888	zVhgfgjbnv.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
3628	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exe

pid process

4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
2552 CVhffgrdDFbv.exe
3124 zVhgfgjbnv.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exe

pid process

4016 fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
2552 CVhffgrdDFbv.exe
3124 zVhgfgjbnv.exe

pid	process
4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
2552	CVhffgrdDFbv.exe
3124	zVhgfgjbnv.exe

pid	process
4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
2552	CVhffgrdDFbv.exe
3124	zVhgfgjbnv.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exeCVhffgrdDFbv.exezVhgfgjbnv.exe

description	pid	process	target process
PID 4016 wrote to memory of 2552	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	CVhffgrdDFbv.exe
PID 4016 wrote to memory of 2552	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	CVhffgrdDFbv.exe
PID 4016 wrote to memory of 2552	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	CVhffgrdDFbv.exe
PID 4016 wrote to memory of 3124	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	zVhgfgjbnv.exe
PID 4016 wrote to memory of 3124	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	zVhgfgjbnv.exe
PID 4016 wrote to memory of 3124	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	zVhgfgjbnv.exe
PID 4016 wrote to memory of 3628	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
PID 4016 wrote to memory of 3628	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
PID 4016 wrote to memory of 3628	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
PID 4016 wrote to memory of 3628	4016	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe	fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
PID 2552 wrote to memory of 4044	2552	CVhffgrdDFbv.exe	CVhffgrdDFbv.exe
PID 2552 wrote to memory of 4044	2552	CVhffgrdDFbv.exe	CVhffgrdDFbv.exe
PID 2552 wrote to memory of 4044	2552	CVhffgrdDFbv.exe	CVhffgrdDFbv.exe
PID 2552 wrote to memory of 4044	2552	CVhffgrdDFbv.exe	CVhffgrdDFbv.exe
PID 3124 wrote to memory of 4888	3124	zVhgfgjbnv.exe	zVhgfgjbnv.exe
PID 3124 wrote to memory of 4888	3124	zVhgfgjbnv.exe	zVhgfgjbnv.exe
PID 3124 wrote to memory of 4888	3124	zVhgfgjbnv.exe	zVhgfgjbnv.exe
PID 3124 wrote to memory of 4888	3124	zVhgfgjbnv.exe	zVhgfgjbnv.exe

C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
"C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
"C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552

C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
"C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4044

C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
"C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
"C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 1304
4⤵
- Program crash
PID:4752

C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe
"C:\Users\Admin\AppData\Local\Temp\fccc12ba866c71644e8d877c8780ee0ba0178c1712b3c05f957f90f59de6d493.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4888 -ip 4888
1⤵
PID:4636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
Filesize
232KB

MD5
02a3dc4aeb09f2d0c48a47922bed2d73

SHA1
ad59fb3b77bb02a2a38ddba31d617b17eeffb276

SHA256
4a2d4f9ed9d34ba93219ad56c5d20902b89ecf8541afde59d1c321e0784f3b57

SHA512
22bab6e49b3528b8e74b943c70541b1fbf4eb5b0d57924bf4bf4ae461fd5253e1d6ea3b7b1aff9263f1175d059c8daa4cb6236e869a16b2e585cc0ebe58f9e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
Filesize
232KB

MD5
02a3dc4aeb09f2d0c48a47922bed2d73

SHA1
ad59fb3b77bb02a2a38ddba31d617b17eeffb276

SHA256
4a2d4f9ed9d34ba93219ad56c5d20902b89ecf8541afde59d1c321e0784f3b57

SHA512
22bab6e49b3528b8e74b943c70541b1fbf4eb5b0d57924bf4bf4ae461fd5253e1d6ea3b7b1aff9263f1175d059c8daa4cb6236e869a16b2e585cc0ebe58f9e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\CVhffgrdDFbv.exe
Filesize
232KB

MD5
02a3dc4aeb09f2d0c48a47922bed2d73

SHA1
ad59fb3b77bb02a2a38ddba31d617b17eeffb276

SHA256
4a2d4f9ed9d34ba93219ad56c5d20902b89ecf8541afde59d1c321e0784f3b57

SHA512
22bab6e49b3528b8e74b943c70541b1fbf4eb5b0d57924bf4bf4ae461fd5253e1d6ea3b7b1aff9263f1175d059c8daa4cb6236e869a16b2e585cc0ebe58f9e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
Filesize
276KB

MD5
3353c49b01e245c14103afb71443c724

SHA1
9d51ca208eb1d2d7e0b9bbd399af7e17bfcb2e97

SHA256
29fc25aa5e1cae33ce7df5819cb4cd586784828039f4cda5b4f16583cf92a2d6

SHA512
a636f77352ccf2a52778631f2c43365290ae9a7da8e686c28ebe259c63f910269b9f0df5d0595cd46d25f9aa64c84c6423e596fc771ef4c9e024be75448b50df

Download Submit
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
Filesize
276KB

MD5
3353c49b01e245c14103afb71443c724

SHA1
9d51ca208eb1d2d7e0b9bbd399af7e17bfcb2e97

SHA256
29fc25aa5e1cae33ce7df5819cb4cd586784828039f4cda5b4f16583cf92a2d6

SHA512
a636f77352ccf2a52778631f2c43365290ae9a7da8e686c28ebe259c63f910269b9f0df5d0595cd46d25f9aa64c84c6423e596fc771ef4c9e024be75448b50df

Download Submit
C:\Users\Admin\AppData\Local\Temp\zVhgfgjbnv.exe
Filesize
276KB

MD5
3353c49b01e245c14103afb71443c724

SHA1
9d51ca208eb1d2d7e0b9bbd399af7e17bfcb2e97

SHA256
29fc25aa5e1cae33ce7df5819cb4cd586784828039f4cda5b4f16583cf92a2d6

SHA512
a636f77352ccf2a52778631f2c43365290ae9a7da8e686c28ebe259c63f910269b9f0df5d0595cd46d25f9aa64c84c6423e596fc771ef4c9e024be75448b50df

Download Submit
memory/2552-132-0x0000000000000000-mapping.dmp

Download
memory/3124-136-0x0000000000000000-mapping.dmp

Download
memory/3628-142-0x0000000000000000-mapping.dmp

Download
memory/3628-150-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4016-145-0x00000000035F0000-0x00000000035F7000-memory.dmp

Filesize
28KB

Download
memory/4044-143-0x0000000000000000-mapping.dmp

Download
memory/4044-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4888-146-0x0000000000000000-mapping.dmp

Download
memory/4888-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads