azorult | f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53

General

Target

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
Size

1.4MB
MD5

01f6d86a3e0050cb116ad4f16f12a420
SHA1

1d970042bb5b4d6fe680c177c44529f6a7671c3c
SHA256

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53
SHA512

b6a33c16bd8786d84cca5bad32a6fe80698dae7d031207048d38fadc8962e011432c7cd9519353b821ef90ab91a59088b11ba72109ab20d234cc20bc28589939

Score

10^/10

azorult oski raccoon 180d3985eb74eacf2de83c771fbf30a60f670ec0 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

aleaiasko.ug

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2108-151-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

Hfkvbscdium.exePothqncmajgF.exeHfkvbscdium.exePothqncmajgF.exe

pid process

444 Hfkvbscdium.exe
3600 PothqncmajgF.exe
2288 Hfkvbscdium.exe
3224 PothqncmajgF.exe

pid	process
444	Hfkvbscdium.exe
3600	PothqncmajgF.exe
2288	Hfkvbscdium.exe
3224	PothqncmajgF.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

Hfkvbscdium.exef16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exePothqncmajgF.exe

description	pid	process	target process
PID 444 set thread context of 2288	444	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 4312 set thread context of 2108	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 3600 set thread context of 3224	3600	PothqncmajgF.exe	PothqncmajgF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 3224 WerFault.exe PothqncmajgF.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

Hfkvbscdium.exef16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exePothqncmajgF.exe

pid process

444 Hfkvbscdium.exe
4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
3600 PothqncmajgF.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exeHfkvbscdium.exePothqncmajgF.exe

pid process

4312 f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
444 Hfkvbscdium.exe
3600 PothqncmajgF.exe

pid	pid_target	process	target process
1780	3224	WerFault.exe	PothqncmajgF.exe

pid	process
444	Hfkvbscdium.exe
4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
3600	PothqncmajgF.exe

pid	process
4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
444	Hfkvbscdium.exe
3600	PothqncmajgF.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exeHfkvbscdium.exePothqncmajgF.exe

description	pid	process	target process
PID 4312 wrote to memory of 444	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	Hfkvbscdium.exe
PID 4312 wrote to memory of 444	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	Hfkvbscdium.exe
PID 4312 wrote to memory of 444	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	Hfkvbscdium.exe
PID 4312 wrote to memory of 3600	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	PothqncmajgF.exe
PID 4312 wrote to memory of 3600	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	PothqncmajgF.exe
PID 4312 wrote to memory of 3600	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	PothqncmajgF.exe
PID 444 wrote to memory of 2288	444	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 444 wrote to memory of 2288	444	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 444 wrote to memory of 2288	444	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 444 wrote to memory of 2288	444	Hfkvbscdium.exe	Hfkvbscdium.exe
PID 4312 wrote to memory of 2108	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 4312 wrote to memory of 2108	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 4312 wrote to memory of 2108	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 4312 wrote to memory of 2108	4312	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe	f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
PID 3600 wrote to memory of 3224	3600	PothqncmajgF.exe	PothqncmajgF.exe
PID 3600 wrote to memory of 3224	3600	PothqncmajgF.exe	PothqncmajgF.exe
PID 3600 wrote to memory of 3224	3600	PothqncmajgF.exe	PothqncmajgF.exe
PID 3600 wrote to memory of 3224	3600	PothqncmajgF.exe	PothqncmajgF.exe

C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
"C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4312

C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
"C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
"C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe"
3⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
"C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
"C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe"
3⤵
- Executes dropped EXE
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 1316
4⤵
- Program crash
PID:1780

C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe
"C:\Users\Admin\AppData\Local\Temp\f16514ee7d82f75259d7e0081f96533640f6bdd8bba7bf47b6d0fa64bbf98e53.exe"
2⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3224 -ip 3224
1⤵
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hfkvbscdium.exe
Filesize
432KB

MD5
1e9d15d0e69d2ddaa1201eeb9859645e

SHA1
d75e404d0a709d26781b0481a68e74218b4c4a5c

SHA256
236c5582b4f39d71904e6d072d0c7e2c45b5a935dd56939c92e1b954607842a2

SHA512
4682a620a0b72216a34970b726f1818a76b47be8733182d5080d1a12b919f401849d4ca009fb40ba2cfd0ac3b67decba76e36866c608268fc9b9b244ac4c826b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\PothqncmajgF.exe
Filesize
480KB

MD5
7f572cad5b68d5b32e330aca579152ae

SHA1
a4f3f75b11a059c491476c475721c37d65e7fe31

SHA256
f332a57c7b18e9c7696d9bca39de867d47d24062aadf00d83c839326a55cf88c

SHA512
8f1ec362a6230359055549e7245aba2d48b754b8a477f22451351b817f7d26e95d095de27d6c9b12d6caa09034487a2d15703e6ddb77ade6631e0f205f413c55

Download Submit
memory/444-132-0x0000000000000000-mapping.dmp

Download
memory/444-145-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/2108-144-0x0000000000000000-mapping.dmp

Download
memory/2108-151-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2288-142-0x0000000000000000-mapping.dmp

Download
memory/2288-147-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3224-148-0x0000000000000000-mapping.dmp

Download
memory/3224-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3600-137-0x0000000000000000-mapping.dmp

Download
memory/3600-146-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads