azorult | f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2

General

Target

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
Size

1.0MB
MD5

2292f50e6ebdf3eae9cbb254ca0464a9
SHA1

5e7897406f6a5859638982f347d569bc2bfe3614
SHA256

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2
SHA512

688c8814bef5f31254a66a4d83d08d0e2d81ee00eee7887829f3c8639c75cae323e1f30d9bb07ee1751c4c4d06d7ea6315ba48509613c5364ea930c6485586a5

Score

10^/10

azorult oski raccoon 236c7f8a01d741b888dc6b6209805e66d41e62ba infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

236c7f8a01d741b888dc6b6209805e66d41e62ba

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

nadia.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1272-146-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

VjghertvcSD.exeIhfgetrDSqwe.exeVjghertvcSD.exeIhfgetrDSqwe.exe

pid process

4388 VjghertvcSD.exe
4108 IhfgetrDSqwe.exe
4216 VjghertvcSD.exe
4368 IhfgetrDSqwe.exe

pid	process
4388	VjghertvcSD.exe
4108	IhfgetrDSqwe.exe
4216	VjghertvcSD.exe
4368	IhfgetrDSqwe.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

VjghertvcSD.exeIhfgetrDSqwe.exe

pid process

4216 VjghertvcSD.exe
4216 VjghertvcSD.exe
4368 IhfgetrDSqwe.exe
4368 IhfgetrDSqwe.exe

pid	process
4216	VjghertvcSD.exe
4216	VjghertvcSD.exe
4368	IhfgetrDSqwe.exe
4368	IhfgetrDSqwe.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeVjghertvcSD.exeIhfgetrDSqwe.exe

description	pid	process	target process
PID 1792 set thread context of 1272	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 4388 set thread context of 4216	4388	VjghertvcSD.exe	VjghertvcSD.exe
PID 4108 set thread context of 4368	4108	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3728 4368 WerFault.exe IhfgetrDSqwe.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeVjghertvcSD.exeIhfgetrDSqwe.exe

pid process

1792 f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
4388 VjghertvcSD.exe
4108 IhfgetrDSqwe.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeVjghertvcSD.exeIhfgetrDSqwe.exe

pid process

1792 f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
4388 VjghertvcSD.exe
4108 IhfgetrDSqwe.exe

pid	pid_target	process	target process
3728	4368	WerFault.exe	IhfgetrDSqwe.exe

pid	process
1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
4388	VjghertvcSD.exe
4108	IhfgetrDSqwe.exe

pid	process
1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
4388	VjghertvcSD.exe
4108	IhfgetrDSqwe.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exeVjghertvcSD.exeIhfgetrDSqwe.exe

description	pid	process	target process
PID 1792 wrote to memory of 4388	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	VjghertvcSD.exe
PID 1792 wrote to memory of 4388	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	VjghertvcSD.exe
PID 1792 wrote to memory of 4388	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	VjghertvcSD.exe
PID 1792 wrote to memory of 4108	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	IhfgetrDSqwe.exe
PID 1792 wrote to memory of 4108	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	IhfgetrDSqwe.exe
PID 1792 wrote to memory of 4108	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	IhfgetrDSqwe.exe
PID 1792 wrote to memory of 1272	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1792 wrote to memory of 1272	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1792 wrote to memory of 1272	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 1792 wrote to memory of 1272	1792	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe	f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
PID 4388 wrote to memory of 4216	4388	VjghertvcSD.exe	VjghertvcSD.exe
PID 4388 wrote to memory of 4216	4388	VjghertvcSD.exe	VjghertvcSD.exe
PID 4388 wrote to memory of 4216	4388	VjghertvcSD.exe	VjghertvcSD.exe
PID 4388 wrote to memory of 4216	4388	VjghertvcSD.exe	VjghertvcSD.exe
PID 4108 wrote to memory of 4368	4108	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 4108 wrote to memory of 4368	4108	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 4108 wrote to memory of 4368	4108	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe
PID 4108 wrote to memory of 4368	4108	IhfgetrDSqwe.exe	IhfgetrDSqwe.exe

C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
"C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
"C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4216

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
"C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 1312
4⤵
- Program crash
PID:3728

C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe
"C:\Users\Admin\AppData\Local\Temp\f539c1e201030689ba917991a929526485f79e99f421802a9a7dc4d9a962ecd2.exe"
2⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4368 -ip 4368
1⤵
PID:2824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IhfgetrDSqwe.exe
Filesize
244KB

MD5
e22eec453d5d077fecdc1fe9ead85a16

SHA1
fdca78352ec06d5b695db0ad3b8c4acb8ba965ba

SHA256
a52ed8a9f6d0d26517e6c0940c46345235f226634031fb5ab285f5c1a5d5d7b1

SHA512
24e0ff9e37fce0bd0d89215819ae6b44646193a27f424a7475d0d9922902dedc767fb558ffa3a045a2d444665fedbeea86cb821de8415bcb4cfdecd6e4ef140f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
C:\Users\Admin\AppData\Local\Temp\VjghertvcSD.exe
Filesize
200KB

MD5
ce9ef402a6bb862ee9320dbdff92724c

SHA1
5a5f67412735e2be4f21d184ab6cc2c427eba389

SHA256
7c95dcd99bc8274293fc772afe6ad67ba2dccadb671dad68ee9fe5898ff25ea6

SHA512
8d38528418d2f260f5699456bc0525dbefe047be233ac5b3a735836f0810227821acf05a78200fd48592117906acc04e9c30d66f3d51be87e91512bcbffd0048

Download Submit
memory/1272-140-0x0000000000000000-mapping.dmp

Download
memory/1272-146-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1792-143-0x00000000035F0000-0x00000000035F7000-memory.dmp

Filesize
28KB

Download
memory/4108-145-0x0000000000700000-0x0000000000708000-memory.dmp

Filesize
32KB

Download
memory/4108-137-0x0000000000000000-mapping.dmp

Download
memory/4216-147-0x0000000000000000-mapping.dmp

Download
memory/4216-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4368-150-0x0000000000000000-mapping.dmp

Download
memory/4368-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-144-0x00000000005B0000-0x00000000005B8000-memory.dmp

Filesize
32KB

Download
memory/4388-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads