azorult | f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2

Analysis

max time kernel
149s
max time network
160s
platform
windows7_x64
resource
win7-20220414-en
submitted
16-05-2022 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
Size

1.0MB
MD5

2292f50e6ebdf3eae9cbb254ca0464a9
SHA1

5e7897406f6a5859638982f347d569bc2bfe3614
SHA256

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2
SHA512

688c8814bef5f31254a66a4d83d08d0e2d81ee00eee7887829f3c8639c75cae323e1f30d9bb07ee1751c4c4d06d7ea6315ba48509613c5364ea930c6485586a5

Score

10^/10

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

nadia.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1164-76-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

VjghertvcSD.exeIhfgetrDSqwe.exeIhfgetrDSqwe.exeVjghertvcSD.exe

pid process

784 VjghertvcSD.exe
1544 IhfgetrDSqwe.exe
1248 IhfgetrDSqwe.exe
1792 VjghertvcSD.exe

pid	process
784	VjghertvcSD.exe
1544	IhfgetrDSqwe.exe
1248	IhfgetrDSqwe.exe
1792	VjghertvcSD.exe

Loads dropped DLL 11 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeIhfgetrDSqwe.exeVjghertvcSD.exeWerFault.exe

pid	process
1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
1544	IhfgetrDSqwe.exe
784	VjghertvcSD.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe
1692	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

IhfgetrDSqwe.exeVjghertvcSD.exe

pid process

1248 IhfgetrDSqwe.exe
1248 IhfgetrDSqwe.exe
1792 VjghertvcSD.exe
1792 VjghertvcSD.exe

pid	process
1248	IhfgetrDSqwe.exe
1248	IhfgetrDSqwe.exe
1792	VjghertvcSD.exe
1792	VjghertvcSD.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeIhfgetrDSqwe.exeVjghertvcSD.exe

description	pid	process	target process
PID 1664 set thread context of 1164	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1544 set thread context of 1248	1544	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 784 set thread context of 1792	784	VjghertvcSD.exe	VjghertvcSD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1692 1248 WerFault.exe IhfgetrDSqwe.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeIhfgetrDSqwe.exeVjghertvcSD.exe

pid process

1664 f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
1544 IhfgetrDSqwe.exe
784 VjghertvcSD.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeVjghertvcSD.exeIhfgetrDSqwe.exe

pid process

1664 f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
784 VjghertvcSD.exe
1544 IhfgetrDSqwe.exe

pid	pid_target	process	target process
1692	1248	WerFault.exe	IhfgetrDSqwe.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeIhfgetrDSqwe.exeVjghertvcSD.exeIhfgetrDSqwe.exe

description	pid	process	target process
PID 1664 wrote to memory of 784	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	VjghertvcSD.exe
PID 1664 wrote to memory of 784	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	VjghertvcSD.exe
PID 1664 wrote to memory of 784	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	VjghertvcSD.exe
PID 1664 wrote to memory of 784	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	VjghertvcSD.exe
PID 1664 wrote to memory of 1544	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	IhfgetrDSqwe.exe
PID 1664 wrote to memory of 1544	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	IhfgetrDSqwe.exe
PID 1664 wrote to memory of 1544	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	IhfgetrDSqwe.exe
PID 1664 wrote to memory of 1544	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	IhfgetrDSqwe.exe
PID 1664 wrote to memory of 1164	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1664 wrote to memory of 1164	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1664 wrote to memory of 1164	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1664 wrote to memory of 1164	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1664 wrote to memory of 1164	1664	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1544 wrote to memory of 1248	1544	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 1544 wrote to memory of 1248	1544	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 1544 wrote to memory of 1248	1544	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 1544 wrote to memory of 1248	1544	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 1544 wrote to memory of 1248	1544	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 784 wrote to memory of 1792	784	VjghertvcSD.exe	VjghertvcSD.exe
PID 784 wrote to memory of 1792	784	VjghertvcSD.exe	VjghertvcSD.exe
PID 784 wrote to memory of 1792	784	VjghertvcSD.exe	VjghertvcSD.exe
PID 784 wrote to memory of 1792	784	VjghertvcSD.exe	VjghertvcSD.exe
PID 784 wrote to memory of 1792	784	VjghertvcSD.exe	VjghertvcSD.exe
PID 1248 wrote to memory of 1692	1248	IhfgetrDSqwe.exe	WerFault.exe
PID 1248 wrote to memory of 1692	1248	IhfgetrDSqwe.exe	WerFault.exe
PID 1248 wrote to memory of 1692	1248	IhfgetrDSqwe.exe	WerFault.exe
PID 1248 wrote to memory of 1692	1248	IhfgetrDSqwe.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
"C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1792

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 744
4⤵
- Loads dropped DLL
- Program crash
PID:1692

C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
"C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe"
2⤵
PID:1164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
memory/784-59-0x0000000000000000-mapping.dmp

Download
memory/784-73-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/1164-71-0x000000000043FA93-mapping.dmp

Download
memory/1164-76-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1248-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1248-79-0x0000000000417A8B-mapping.dmp

Download
memory/1544-75-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1544-66-0x0000000000000000-mapping.dmp

Download
memory/1664-74-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/1664-56-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1692-89-0x0000000000000000-mapping.dmp

Download
memory/1792-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1792-84-0x000000000041A684-mapping.dmp

Download