azorult | ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20

General

Target

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
Size

932KB
MD5

2a3b3da0fbdfbcc9fafcce4708954170
SHA1

13e48a6734e0d1f2275ad42ad5630ca22ca130c9
SHA256

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20
SHA512

dae7c463ed3b01b23611470aae2d6125a428471f4b75dc2e390d1ef2bab5ba069b3775b97739627ce9c63be58d7e42f909bd6e7859fdb58e1b0dbd3b104dd3b9

Score

10^/10

azorult oski raccoon 180d3985eb74eacf2de83c771fbf30a60f670ec0 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

levitt.ug

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3556-148-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

KdacfF.exe.exeOpacaF.exeKdacfF.exe.exeOpacaF.exe

pid process

4568 KdacfF.exe.exe
5104 OpacaF.exe
2040 KdacfF.exe.exe
3468 OpacaF.exe

pid	process
4568	KdacfF.exe.exe
5104	OpacaF.exe
2040	KdacfF.exe.exe
3468	OpacaF.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeKdacfF.exe.exeOpacaF.exe

description	pid	process	target process
PID 3564 set thread context of 3556	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 4568 set thread context of 2040	4568	KdacfF.exe.exe	KdacfF.exe.exe
PID 5104 set thread context of 3468	5104	OpacaF.exe	OpacaF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2408 3468 WerFault.exe OpacaF.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeKdacfF.exe.exeOpacaF.exe

pid process

3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
4568 KdacfF.exe.exe
5104 OpacaF.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeKdacfF.exe.exeOpacaF.exe

pid process

3564 ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
4568 KdacfF.exe.exe
5104 OpacaF.exe

pid	pid_target	process	target process
2408	3468	WerFault.exe	OpacaF.exe

pid	process
3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
4568	KdacfF.exe.exe
5104	OpacaF.exe

pid	process
3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
4568	KdacfF.exe.exe
5104	OpacaF.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exeKdacfF.exe.exeOpacaF.exe

description	pid	process	target process
PID 3564 wrote to memory of 4568	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	KdacfF.exe.exe
PID 3564 wrote to memory of 4568	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	KdacfF.exe.exe
PID 3564 wrote to memory of 4568	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	KdacfF.exe.exe
PID 3564 wrote to memory of 5104	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	OpacaF.exe
PID 3564 wrote to memory of 5104	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	OpacaF.exe
PID 3564 wrote to memory of 5104	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	OpacaF.exe
PID 3564 wrote to memory of 3556	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 3564 wrote to memory of 3556	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 3564 wrote to memory of 3556	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 3564 wrote to memory of 3556	3564	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe	ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
PID 4568 wrote to memory of 2040	4568	KdacfF.exe.exe	KdacfF.exe.exe
PID 4568 wrote to memory of 2040	4568	KdacfF.exe.exe	KdacfF.exe.exe
PID 4568 wrote to memory of 2040	4568	KdacfF.exe.exe	KdacfF.exe.exe
PID 4568 wrote to memory of 2040	4568	KdacfF.exe.exe	KdacfF.exe.exe
PID 5104 wrote to memory of 3468	5104	OpacaF.exe	OpacaF.exe
PID 5104 wrote to memory of 3468	5104	OpacaF.exe	OpacaF.exe
PID 5104 wrote to memory of 3468	5104	OpacaF.exe	OpacaF.exe
PID 5104 wrote to memory of 3468	5104	OpacaF.exe	OpacaF.exe

C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
"C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
"C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
"C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe"
3⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe
"C:\Users\Admin\AppData\Local\Temp\ac0bff3a87acefe245899d7f908a0e400d49d56b75b9ee6400ac58ea180e3e20.exe"
2⤵
PID:3556

C:\Users\Admin\AppData\Roaming\OpacaF.exe
"C:\Users\Admin\AppData\Roaming\OpacaF.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Roaming\OpacaF.exe
"C:\Users\Admin\AppData\Roaming\OpacaF.exe"
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 1340
2⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3468 -ip 3468
1⤵
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
C:\Users\Admin\AppData\Roaming\KdacfF.exe.exe
Filesize
204KB

MD5
bba648d5b17554cb4556f7f839914ef4

SHA1
b042cb93b7629159000d1fbbd70d3536bda47d2b

SHA256
da23ff82f0cb0e77e3f38a2a6fa342fdc0ff190fbf3a6042cae8fcc73d0f2788

SHA512
4d9ab7d9c6f8adec998d8924cc318a06e833fbe6230ed795e66ddc2bb26a7f028f2b18542d6f7805eda95914491e0e273cd6e4b673fa5f42431acce1887563f7

Download Submit
C:\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
C:\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
C:\Users\Admin\AppData\Roaming\OpacaF.exe
Filesize
248KB

MD5
8d6db869797db1841460c4ebd0806a84

SHA1
860985f7eaebeb1fd30fd0cf67a3ffdc85b0d054

SHA256
6da2e5337a76c07118f45ee40f9e98448bc5644b6ba79c709475de55fee1155e

SHA512
f22c4988e177521b09227559318144c386bac7eef5a877454e283967437582600ff26c9abc2b185a82b64b4f6c324cb68287bc76c956ea71758da2ad03a33d10

Download Submit
memory/2040-150-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2040-143-0x0000000000000000-mapping.dmp

Download
memory/3468-146-0x0000000000000000-mapping.dmp

Download
memory/3468-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-141-0x0000000000000000-mapping.dmp

Download
memory/3556-148-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/4568-145-0x0000000000800000-0x0000000000808000-memory.dmp

Filesize
32KB

Download
memory/4568-132-0x0000000000000000-mapping.dmp

Download
memory/5104-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads