azorult | f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53

Analysis

max time kernel
152s
max time network
174s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
Size

1.4MB
MD5

01f6d86a3e0050cb116ad4f16f12a420
SHA1

1d970042bb5b4d6fe680c177c44529f6a7671c3c
SHA256

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53
SHA512

b6a33c16bd8786d84cca5bad32a6fe80698dae7d031207048d38fadc8962e011432c7cd9519353b821ef90ab91a59088b11ba72109ab20d234cc20bc28589939

Score

10^/10

azorult oski raccoon 180d3985eb74eacf2de83c771fbf30a60f670ec0 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

aleaiasko.ug

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1296-86-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

Hfkvbscdium.exePothqncmajgF.exeHfkvbscdium.exePothqncmajgF.exe

pid process

1728 Hfkvbscdium.exe
956 PothqncmajgF.exe
1336 Hfkvbscdium.exe
2044 PothqncmajgF.exe

pid	process
1728	Hfkvbscdium.exe
956	PothqncmajgF.exe
1336	Hfkvbscdium.exe
2044	PothqncmajgF.exe

Loads dropped DLL 11 IoCs

Processes:

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exeHfkvbscdium.exePothqncmajgF.exeWerFault.exe

pid	process
1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
1728	Hfkvbscdium.exe
956	PothqncmajgF.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

Hfkvbscdium.exef16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exePothqncmajgF.exe

description	pid	process	target process
PID 1728 set thread context of 1336	1728	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 1640 set thread context of 1296	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 956 set thread context of 2044	956	PothqncmajgF.exe	PothqncmajgF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1616 2044 WerFault.exe PothqncmajgF.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Hfkvbscdium.exef16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exePothqncmajgF.exe

pid process

1728 Hfkvbscdium.exe
1640 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
956 PothqncmajgF.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exeHfkvbscdium.exePothqncmajgF.exe

pid process

1640 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
1728 Hfkvbscdium.exe
956 PothqncmajgF.exe

pid	pid_target	process	target process
1616	2044	WerFault.exe	PothqncmajgF.exe

pid	process
1728	Hfkvbscdium.exe
1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
956	PothqncmajgF.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exeHfkvbscdium.exePothqncmajgF.exePothqncmajgF.exe

description	pid	process	target process
PID 1640 wrote to memory of 1728	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	Hfkvbscdium.exe
PID 1640 wrote to memory of 1728	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	Hfkvbscdium.exe
PID 1640 wrote to memory of 1728	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	Hfkvbscdium.exe
PID 1640 wrote to memory of 1728	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	Hfkvbscdium.exe
PID 1640 wrote to memory of 956	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	PothqncmajgF.exe
PID 1640 wrote to memory of 956	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	PothqncmajgF.exe
PID 1640 wrote to memory of 956	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	PothqncmajgF.exe
PID 1640 wrote to memory of 956	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	PothqncmajgF.exe
PID 1728 wrote to memory of 1336	1728	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 1728 wrote to memory of 1336	1728	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 1728 wrote to memory of 1336	1728	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 1728 wrote to memory of 1336	1728	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 1728 wrote to memory of 1336	1728	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 1640 wrote to memory of 1296	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 1640 wrote to memory of 1296	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 1640 wrote to memory of 1296	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 1640 wrote to memory of 1296	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 1640 wrote to memory of 1296	1640	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 956 wrote to memory of 2044	956	PothqncmajgF.exe	PothqncmajgF.exe
PID 956 wrote to memory of 2044	956	PothqncmajgF.exe	PothqncmajgF.exe
PID 956 wrote to memory of 2044	956	PothqncmajgF.exe	PothqncmajgF.exe
PID 956 wrote to memory of 2044	956	PothqncmajgF.exe	PothqncmajgF.exe
PID 956 wrote to memory of 2044	956	PothqncmajgF.exe	PothqncmajgF.exe
PID 2044 wrote to memory of 1616	2044	PothqncmajgF.exe	WerFault.exe
PID 2044 wrote to memory of 1616	2044	PothqncmajgF.exe	WerFault.exe
PID 2044 wrote to memory of 1616	2044	PothqncmajgF.exe	WerFault.exe
PID 2044 wrote to memory of 1616	2044	PothqncmajgF.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
"C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
"C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
"C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"
3⤵
- Executes dropped EXE
PID:1336

C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
"C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
"C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 788
4⤵
- Loads dropped DLL
- Program crash
PID:1616

C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
"C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"
2⤵
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
memory/956-66-0x0000000000000000-mapping.dmp

Download
memory/1296-86-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1296-74-0x000000000043FA98-mapping.dmp

Download
memory/1336-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1336-73-0x000000000041A684-mapping.dmp

Download
memory/1616-87-0x0000000000000000-mapping.dmp

Download
memory/1640-56-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1728-75-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1728-59-0x0000000000000000-mapping.dmp

Download
memory/2044-81-0x0000000000417A8B-mapping.dmp

Download
memory/2044-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download