azorult | ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20

Analysis

max time kernel
139s
max time network
146s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
Size

932KB
MD5

2a3b3da0fbdfbcc9fafcce4708954170
SHA1

13e48a6734e0d1f2275ad42ad5630ca22ca130c9
SHA256

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20
SHA512

dae7c463ed3b01b23611470aae2d6125a428471f4b75dc2e390d1ef2bab5ba069b3775b97739627ce9c63be58d7e42f909bd6e7859fdb58e1b0dbd3b104dd3b9

Score

10^/10

azorult oski raccoon 180d3985eb74eacf2de83c771fbf30a60f670ec0 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Extracted

Family

oski

levitt.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2016-85-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

KdacfF.exe.exeOpacaF.exeKdacfF.exe.exeOpacaF.exe

pid process

908 KdacfF.exe.exe
1664 OpacaF.exe
1156 KdacfF.exe.exe
696 OpacaF.exe

pid	process
908	KdacfF.exe.exe
1664	OpacaF.exe
1156	KdacfF.exe.exe
696	OpacaF.exe

Loads dropped DLL 9 IoCs

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeWerFault.exe

pid	process
1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

KdacfF.exe.exeac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeOpacaF.exe

description	pid	process	target process
PID 908 set thread context of 1156	908	KdacfF.exe.exe	KdacfF.exe.exe
PID 1100 set thread context of 2016	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 1664 set thread context of 696	1664	OpacaF.exe	OpacaF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

964 696 WerFault.exe OpacaF.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

KdacfF.exe.exeac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeOpacaF.exe

pid process

908 KdacfF.exe.exe
1100 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
1664 OpacaF.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeKdacfF.exe.exeOpacaF.exe

pid process

1100 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
908 KdacfF.exe.exe
1664 OpacaF.exe

pid	pid_target	process	target process
964	696	WerFault.exe	OpacaF.exe

pid	process
908	KdacfF.exe.exe
1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
1664	OpacaF.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeKdacfF.exe.exeOpacaF.exeOpacaF.exe

description	pid	process	target process
PID 1100 wrote to memory of 908	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	KdacfF.exe.exe
PID 1100 wrote to memory of 908	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	KdacfF.exe.exe
PID 1100 wrote to memory of 908	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	KdacfF.exe.exe
PID 1100 wrote to memory of 908	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	KdacfF.exe.exe
PID 1100 wrote to memory of 1664	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	OpacaF.exe
PID 1100 wrote to memory of 1664	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	OpacaF.exe
PID 1100 wrote to memory of 1664	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	OpacaF.exe
PID 1100 wrote to memory of 1664	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	OpacaF.exe
PID 908 wrote to memory of 1156	908	KdacfF.exe.exe	KdacfF.exe.exe
PID 908 wrote to memory of 1156	908	KdacfF.exe.exe	KdacfF.exe.exe
PID 908 wrote to memory of 1156	908	KdacfF.exe.exe	KdacfF.exe.exe
PID 908 wrote to memory of 1156	908	KdacfF.exe.exe	KdacfF.exe.exe
PID 908 wrote to memory of 1156	908	KdacfF.exe.exe	KdacfF.exe.exe
PID 1100 wrote to memory of 2016	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 1100 wrote to memory of 2016	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 1100 wrote to memory of 2016	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 1100 wrote to memory of 2016	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 1100 wrote to memory of 2016	1100	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 1664 wrote to memory of 696	1664	OpacaF.exe	OpacaF.exe
PID 1664 wrote to memory of 696	1664	OpacaF.exe	OpacaF.exe
PID 1664 wrote to memory of 696	1664	OpacaF.exe	OpacaF.exe
PID 1664 wrote to memory of 696	1664	OpacaF.exe	OpacaF.exe
PID 1664 wrote to memory of 696	1664	OpacaF.exe	OpacaF.exe
PID 696 wrote to memory of 964	696	OpacaF.exe	WerFault.exe
PID 696 wrote to memory of 964	696	OpacaF.exe	WerFault.exe
PID 696 wrote to memory of 964	696	OpacaF.exe	WerFault.exe
PID 696 wrote to memory of 964	696	OpacaF.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
"C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
"C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"
2⤵
PID:2016

C:\Users\Admin\AppData\Roaming\OpacaF.exe
"C:\Users\Admin\AppData\Roaming\OpacaF.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
"C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\OpacaF.exe
"C:\Users\Admin\AppData\Roaming\OpacaF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 632
2⤵
- Loads dropped DLL
- Program crash
PID:964

C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
"C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"
1⤵
- Executes dropped EXE
PID:1156

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
C:\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
C:\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
C:\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
\Users\Admin\AppData\Roaming\OpacaF.exe

Download Submit
\Users\Admin\AppData\Roaming\OpacaF.exe

Download Submit
\Users\Admin\AppData\Roaming\OpacaF.exe

Download Submit
\Users\Admin\AppData\Roaming\OpacaF.exe

Download Submit
\Users\Admin\AppData\Roaming\OpacaF.exe

Download Submit
memory/696-80-0x0000000000417A8B-mapping.dmp

Download
memory/696-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-68-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/908-59-0x0000000000000000-mapping.dmp

Download
memory/964-86-0x0000000000000000-mapping.dmp

Download
memory/1100-70-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/1100-56-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1156-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1156-72-0x000000000041A684-mapping.dmp

Download
memory/1664-66-0x0000000000000000-mapping.dmp

Download
memory/2016-85-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2016-73-0x000000000043FA98-mapping.dmp

Download