azorult | 5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05

General

Target

5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
Size

1.2MB
MD5

1943148892ed5fa7f23130879dfba3d8
SHA1

5840f0ce8395e98d5ba58df2a721bb5f64c135a9
SHA256

5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05
SHA512

ce1b4d5afa19598f8d201bcf3a36bf5ab657c5505b2ade135fcd1c45d8be29b1e1eb05fc4256e6796b7ed22162df68b1138218ee098034486a3780a472118f2c

Score

10^/10

azorult oski raccoon 01e5d6885270e0741be9a6e9f0c5a7f148f450ea infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

projecty.ug

Extracted

Family

raccoon

Botnet

01e5d6885270e0741be9a6e9f0c5a7f148f450ea

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1968-151-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

HGFBVdfbvyhtdf.exepfdKJIvcwwqc.exepfdKJIvcwwqc.exeHGFBVdfbvyhtdf.exe

pid process

4856 HGFBVdfbvyhtdf.exe
1752 pfdKJIvcwwqc.exe
2276 pfdKJIvcwwqc.exe
728 HGFBVdfbvyhtdf.exe

pid	process
4856	HGFBVdfbvyhtdf.exe
1752	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

HGFBVdfbvyhtdf.exepfdKJIvcwwqc.exe5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe

pid	process
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
1968	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
1968	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
2276	pfdKJIvcwwqc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exepfdKJIvcwwqc.exeHGFBVdfbvyhtdf.exe

description	pid	process	target process
PID 1072 set thread context of 1968	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
PID 1752 set thread context of 2276	1752	pfdKJIvcwwqc.exe	pfdKJIvcwwqc.exe
PID 4856 set thread context of 728	4856	HGFBVdfbvyhtdf.exe	HGFBVdfbvyhtdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3444 2276 WerFault.exe pfdKJIvcwwqc.exe

pid	pid_target	process	target process
3444	2276	WerFault.exe	pfdKJIvcwwqc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HGFBVdfbvyhtdf.exepfdKJIvcwwqc.exe

pid	process
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
2276	pfdKJIvcwwqc.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe
728	HGFBVdfbvyhtdf.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exeHGFBVdfbvyhtdf.exepfdKJIvcwwqc.exe

pid process

1072 5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
4856 HGFBVdfbvyhtdf.exe
1752 pfdKJIvcwwqc.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exeHGFBVdfbvyhtdf.exepfdKJIvcwwqc.exe

pid process

1072 5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
4856 HGFBVdfbvyhtdf.exe
1752 pfdKJIvcwwqc.exe

pid	process
1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
4856	HGFBVdfbvyhtdf.exe
1752	pfdKJIvcwwqc.exe

pid	process
1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
4856	HGFBVdfbvyhtdf.exe
1752	pfdKJIvcwwqc.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exepfdKJIvcwwqc.exeHGFBVdfbvyhtdf.exe

description	pid	process	target process
PID 1072 wrote to memory of 4856	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	HGFBVdfbvyhtdf.exe
PID 1072 wrote to memory of 4856	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	HGFBVdfbvyhtdf.exe
PID 1072 wrote to memory of 4856	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	HGFBVdfbvyhtdf.exe
PID 1072 wrote to memory of 1752	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	pfdKJIvcwwqc.exe
PID 1072 wrote to memory of 1752	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	pfdKJIvcwwqc.exe
PID 1072 wrote to memory of 1752	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	pfdKJIvcwwqc.exe
PID 1072 wrote to memory of 1968	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
PID 1072 wrote to memory of 1968	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
PID 1072 wrote to memory of 1968	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
PID 1752 wrote to memory of 2276	1752	pfdKJIvcwwqc.exe	pfdKJIvcwwqc.exe
PID 1752 wrote to memory of 2276	1752	pfdKJIvcwwqc.exe	pfdKJIvcwwqc.exe
PID 1752 wrote to memory of 2276	1752	pfdKJIvcwwqc.exe	pfdKJIvcwwqc.exe
PID 4856 wrote to memory of 728	4856	HGFBVdfbvyhtdf.exe	HGFBVdfbvyhtdf.exe
PID 4856 wrote to memory of 728	4856	HGFBVdfbvyhtdf.exe	HGFBVdfbvyhtdf.exe
PID 4856 wrote to memory of 728	4856	HGFBVdfbvyhtdf.exe	HGFBVdfbvyhtdf.exe
PID 1072 wrote to memory of 1968	1072	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe	5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
PID 4856 wrote to memory of 728	4856	HGFBVdfbvyhtdf.exe	HGFBVdfbvyhtdf.exe
PID 1752 wrote to memory of 2276	1752	pfdKJIvcwwqc.exe	pfdKJIvcwwqc.exe

C:\Users\Admin\AppData\Local\Temp\5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
"C:\Users\Admin\AppData\Local\Temp\5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Users\Admin\AppData\Local\Temp\HGFBVdfbvyhtdf.exe
  "C:\Users\Admin\AppData\Local\Temp\HGFBVdfbvyhtdf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\HGFBVdfbvyhtdf.exe
    "C:\Users\Admin\AppData\Local\Temp\HGFBVdfbvyhtdf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:728
- C:\Users\Admin\AppData\Local\Temp\pfdKJIvcwwqc.exe
  "C:\Users\Admin\AppData\Local\Temp\pfdKJIvcwwqc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\pfdKJIvcwwqc.exe
    "C:\Users\Admin\AppData\Local\Temp\pfdKJIvcwwqc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1312
      4⤵
      Program crash
      PID:3444
- C:\Users\Admin\AppData\Local\Temp\5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe
  "C:\Users\Admin\AppData\Local\Temp\5910272b991d8f96d67515878eaeb8bd961b858a230d29bd9d513fef2bdaad05.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2276 -ip 2276
1⤵
PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HGFBVdfbvyhtdf.exe

Filesize
304KB

MD5
2f8727305a7664ccca469d1f840d2ce3

SHA1
dcc159e90e30ee1eaf7afff9cafba8c315595231

SHA256
48e6ec35008f0e129264eca7a450191fb013d7956c21833a3d1dd4c020c55243

SHA512
5d369a0f2af5e9c3da278c2f01b04384a10d4f4525e1d4a539f1855e293619101bb59c9bee58af1ad7463f64b8ebdbc72a9d0d667dd340961a878efd90e440fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGFBVdfbvyhtdf.exe

Filesize
304KB

MD5
2f8727305a7664ccca469d1f840d2ce3

SHA1
dcc159e90e30ee1eaf7afff9cafba8c315595231

SHA256
48e6ec35008f0e129264eca7a450191fb013d7956c21833a3d1dd4c020c55243

SHA512
5d369a0f2af5e9c3da278c2f01b04384a10d4f4525e1d4a539f1855e293619101bb59c9bee58af1ad7463f64b8ebdbc72a9d0d667dd340961a878efd90e440fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGFBVdfbvyhtdf.exe

Filesize
304KB

MD5
2f8727305a7664ccca469d1f840d2ce3

SHA1
dcc159e90e30ee1eaf7afff9cafba8c315595231

SHA256
48e6ec35008f0e129264eca7a450191fb013d7956c21833a3d1dd4c020c55243

SHA512
5d369a0f2af5e9c3da278c2f01b04384a10d4f4525e1d4a539f1855e293619101bb59c9bee58af1ad7463f64b8ebdbc72a9d0d667dd340961a878efd90e440fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfdKJIvcwwqc.exe

Filesize
348KB

MD5
3d80b21c96765ecbd698f0bf5670c938

SHA1
c9d0fa3313782090902e06f78f6130c1d24911de

SHA256
375bcfaca06ca71823b3815814ba5430ad05b5a36da5fbd474a0e8cd2a37b15a

SHA512
ebec17341ae42affe30f5e97f3d850c5ce707cab3f6d4d14bfc835156baf71b53ee7f815bc9043c65502e8307eb7d293b15c83259d7acd97b0e09a6d690eb59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfdKJIvcwwqc.exe

Filesize
348KB

MD5
3d80b21c96765ecbd698f0bf5670c938

SHA1
c9d0fa3313782090902e06f78f6130c1d24911de

SHA256
375bcfaca06ca71823b3815814ba5430ad05b5a36da5fbd474a0e8cd2a37b15a

SHA512
ebec17341ae42affe30f5e97f3d850c5ce707cab3f6d4d14bfc835156baf71b53ee7f815bc9043c65502e8307eb7d293b15c83259d7acd97b0e09a6d690eb59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfdKJIvcwwqc.exe

Filesize
348KB

MD5
3d80b21c96765ecbd698f0bf5670c938

SHA1
c9d0fa3313782090902e06f78f6130c1d24911de

SHA256
375bcfaca06ca71823b3815814ba5430ad05b5a36da5fbd474a0e8cd2a37b15a

SHA512
ebec17341ae42affe30f5e97f3d850c5ce707cab3f6d4d14bfc835156baf71b53ee7f815bc9043c65502e8307eb7d293b15c83259d7acd97b0e09a6d690eb59b

Download Submit
memory/728-144-0x0000000000000000-mapping.dmp

Download
memory/728-149-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1072-148-0x0000000002E70000-0x0000000002E77000-memory.dmp

Filesize
28KB

Download
memory/1752-135-0x0000000000000000-mapping.dmp

Download
memory/1968-142-0x0000000000000000-mapping.dmp

Download
memory/1968-151-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2276-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-143-0x0000000000000000-mapping.dmp

Download
memory/4856-132-0x0000000000000000-mapping.dmp

Download
memory/4856-147-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads