Overview

overview

10

Static

static

cdbf4a76ee...31.exe

windows7_x64

10

cdbf4a76ee...31.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    186s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 22:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe

  • Size

    3.1MB

  • MD5

    143d0f36308fd6d510f611f37b9f0cb8

  • SHA1

    0ef800088a40ccea4126512037e7326594bbabb4

  • SHA256

    cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131

  • SHA512

    9c628fd049dcd8e88b7433b16f2b59cf251ea1e384878aba2196ff0c97474bcfc03ab4f56cdccb11b141ede4950d3a40c4b5f945c3d1927ce7941d5277a2f9b9

Score
10/10
azorultoskiraccoon180d3985eb74eacf2de83c771fbf30a60f670ec0infostealerspywarestealertrojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes
  • url4cnc

    https://telete.in/jrikitiki

rc4.plain
rc4.plain

Extracted

Family

oski

C2

levitt.ug

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
    "C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
      "C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
        "C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe"
        3⤵
        • Executes dropped EXE
        PID:2360
    • C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
      "C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
        "C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe"
        3⤵
        • Executes dropped EXE
        PID:3984
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1312
          4⤵
          • Program crash
          PID:3292
    • C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe
      "C:\Users\Admin\AppData\Local\Temp\cdbf4a76ee56b8f26b29fccc6fb83c672ac897795554c660bb8bbd05acd22131.exe"
      2⤵
        PID:2952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3984 -ip 3984
      1⤵
        PID:2004

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
        Filesize

        1.1MB

        MD5

        10a1fc9651aab1b4e9c3a2419519d65a

        SHA1

        4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

        SHA256

        49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

        SHA512

        582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
        Filesize

        1.1MB

        MD5

        10a1fc9651aab1b4e9c3a2419519d65a

        SHA1

        4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

        SHA256

        49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

        SHA512

        582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\KfdbsPioqb.exe
        Filesize

        1.1MB

        MD5

        10a1fc9651aab1b4e9c3a2419519d65a

        SHA1

        4b7b9b6900ce5233b76eaedbb6159c89fd5c0a22

        SHA256

        49b325558adee1f5055841af140be2f3137cd0b582438fe39bccfba2a4e76fda

        SHA512

        582eed99a382e99ffb574be28ab7c227c08318035d9b2056e3fc66e95d07e963c7a29bc91f3479da80e7efb417bab4f07002e39e09e918c15b11fc422c795f0e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
        Filesize

        956KB

        MD5

        7103d3b5536ccc75545f75ff1fcc1917

        SHA1

        6699646eab39a42befdcf6bd17c814294f0c70c8

        SHA256

        b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

        SHA512

        a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
        Filesize

        956KB

        MD5

        7103d3b5536ccc75545f75ff1fcc1917

        SHA1

        6699646eab39a42befdcf6bd17c814294f0c70c8

        SHA256

        b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

        SHA512

        a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\KfdbwPiovb.exe
        Filesize

        956KB

        MD5

        7103d3b5536ccc75545f75ff1fcc1917

        SHA1

        6699646eab39a42befdcf6bd17c814294f0c70c8

        SHA256

        b55f70f9082402d1396c997fb2bb6280c10e633a1532ac81e2210f06370bf0f1

        SHA512

        a2bf331d443bb2b303e30a9982c1d004bdeff123946069791b40227e34dad281a3dd247e29f6a4e542414bf976268218771ebb0ae60898f60e72fa9dbb5d691c

        Download Submit
      • memory/2360-148-0x0000000000000000-mapping.dmp
        Download
      • memory/2360-151-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2952-145-0x0000000000000000-mapping.dmp
        Download
      • memory/2952-152-0x0000000000400000-0x0000000000493000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3004-142-0x0000000003910000-0x0000000003916000-memory.dmp
        Filesize

        24KB

        Download
      • memory/3984-146-0x0000000000000000-mapping.dmp
        Download
      • memory/3984-150-0x0000000000400000-0x0000000000434000-memory.dmp
        Filesize

        208KB

        Download
      • memory/4540-143-0x00000000006A0000-0x00000000006A6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/4540-132-0x0000000000000000-mapping.dmp
        Download
      • memory/4796-144-0x0000000002070000-0x0000000002078000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4796-136-0x0000000000000000-mapping.dmp
        Download