azorult | cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
Size

3.1MB
MD5

143d0f36308fd6d510f611f37b9f0cb8
SHA1

0ef800088a40ccea4126512037e7326594bbabb4
SHA256

cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131
SHA512

9c628fd049dcd8e88b7433b16f2b59cf251ea1e384878aba2196ff0c97474bcfc03ab4f56cdccb11b141ede4950d3a40c4b5f945c3d1927ce7941d5277a2f9b9

Score

10^/10

azorult oski raccoon 180d3985eb74eacf2de83c771fbf30a60f670ec0 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

levitt.ug

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1244-86-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

KfdbwPiovb.exeKfdbsPioqb.exeKfdbwPiovb.exeKfdbsPioqb.exe

pid process

1804 KfdbwPiovb.exe
836 KfdbsPioqb.exe
2044 KfdbwPiovb.exe
568 KfdbsPioqb.exe

pid	process
1804	KfdbwPiovb.exe
836	KfdbsPioqb.exe
2044	KfdbwPiovb.exe
568	KfdbsPioqb.exe

Loads dropped DLL 11 IoCs

Processes:

cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exeKfdbwPiovb.exeKfdbsPioqb.exeWerFault.exe

pid	process
272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
1804	KfdbwPiovb.exe
836	KfdbsPioqb.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe
1512	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

KfdbwPiovb.exeKfdbsPioqb.execdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe

description	pid	process	target process
PID 1804 set thread context of 2044	1804	KfdbwPiovb.exe	KfdbwPiovb.exe
PID 836 set thread context of 568	836	KfdbsPioqb.exe	KfdbsPioqb.exe
PID 272 set thread context of 1244	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1512 568 WerFault.exe KfdbsPioqb.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

KfdbwPiovb.exeKfdbsPioqb.execdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe

pid process

1804 KfdbwPiovb.exe
836 KfdbsPioqb.exe
272 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exeKfdbwPiovb.exeKfdbsPioqb.exe

pid process

272 cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
1804 KfdbwPiovb.exe
836 KfdbsPioqb.exe

pid	pid_target	process	target process
1512	568	WerFault.exe	KfdbsPioqb.exe

pid	process
1804	KfdbwPiovb.exe
836	KfdbsPioqb.exe
272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exeKfdbwPiovb.exeKfdbsPioqb.exeKfdbsPioqb.exe

description	pid	process	target process
PID 272 wrote to memory of 1804	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbwPiovb.exe
PID 272 wrote to memory of 1804	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbwPiovb.exe
PID 272 wrote to memory of 1804	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbwPiovb.exe
PID 272 wrote to memory of 1804	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbwPiovb.exe
PID 272 wrote to memory of 836	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbsPioqb.exe
PID 272 wrote to memory of 836	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbsPioqb.exe
PID 272 wrote to memory of 836	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbsPioqb.exe
PID 272 wrote to memory of 836	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	KfdbsPioqb.exe
PID 1804 wrote to memory of 2044	1804	KfdbwPiovb.exe	KfdbwPiovb.exe
PID 1804 wrote to memory of 2044	1804	KfdbwPiovb.exe	KfdbwPiovb.exe
PID 1804 wrote to memory of 2044	1804	KfdbwPiovb.exe	KfdbwPiovb.exe
PID 1804 wrote to memory of 2044	1804	KfdbwPiovb.exe	KfdbwPiovb.exe
PID 1804 wrote to memory of 2044	1804	KfdbwPiovb.exe	KfdbwPiovb.exe
PID 836 wrote to memory of 568	836	KfdbsPioqb.exe	KfdbsPioqb.exe
PID 836 wrote to memory of 568	836	KfdbsPioqb.exe	KfdbsPioqb.exe
PID 836 wrote to memory of 568	836	KfdbsPioqb.exe	KfdbsPioqb.exe
PID 836 wrote to memory of 568	836	KfdbsPioqb.exe	KfdbsPioqb.exe
PID 836 wrote to memory of 568	836	KfdbsPioqb.exe	KfdbsPioqb.exe
PID 272 wrote to memory of 1244	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
PID 272 wrote to memory of 1244	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
PID 272 wrote to memory of 1244	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
PID 272 wrote to memory of 1244	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
PID 272 wrote to memory of 1244	272	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe	cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
PID 568 wrote to memory of 1512	568	KfdbsPioqb.exe	WerFault.exe
PID 568 wrote to memory of 1512	568	KfdbsPioqb.exe	WerFault.exe
PID 568 wrote to memory of 1512	568	KfdbsPioqb.exe	WerFault.exe
PID 568 wrote to memory of 1512	568	KfdbsPioqb.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
"C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:272

C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
"C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
"C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 852
4⤵
- Loads dropped DLL
- Program crash
PID:1512

C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
"C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
"C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"
3⤵
- Executes dropped EXE
PID:2044

C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
"C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"
2⤵
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
Filesize
956KB

MD5
7103d3b5536ccc75545f75ff1fcc1917

SHA1
6699646eab39a42befdcf6bd17c814294f0c70c8

SHA256
b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

SHA512
a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
Filesize
956KB

MD5
7103d3b5536ccc75545f75ff1fcc1917

SHA1
6699646eab39a42befdcf6bd17c814294f0c70c8

SHA256
b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

SHA512
a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
Filesize
956KB

MD5
7103d3b5536ccc75545f75ff1fcc1917

SHA1
6699646eab39a42befdcf6bd17c814294f0c70c8

SHA256
b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

SHA512
a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
Filesize
1.1MB

MD5
10a1fc9651aab1b4e9c3a2419519d65a

SHA1
4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

SHA256
49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

SHA512
582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
Filesize
956KB

MD5
7103d3b5536ccc75545f75ff1fcc1917

SHA1
6699646eab39a42befdcf6bd17c814294f0c70c8

SHA256
b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

SHA512
a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
Filesize
956KB

MD5
7103d3b5536ccc75545f75ff1fcc1917

SHA1
6699646eab39a42befdcf6bd17c814294f0c70c8

SHA256
b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

SHA512
a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

Download Submit
\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
Filesize
956KB

MD5
7103d3b5536ccc75545f75ff1fcc1917

SHA1
6699646eab39a42befdcf6bd17c814294f0c70c8

SHA256
b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

SHA512
a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

Download Submit
memory/272-56-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/568-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-79-0x0000000000417A8B-mapping.dmp

Download
memory/836-66-0x0000000000000000-mapping.dmp

Download
memory/836-82-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/1244-81-0x000000000043FA98-mapping.dmp

Download
memory/1244-86-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1512-88-0x0000000000000000-mapping.dmp

Download
memory/1804-59-0x0000000000000000-mapping.dmp

Download
memory/1804-75-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2044-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2044-73-0x000000000041A684-mapping.dmp

Download