azorult | 5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20220414-en
submitted
24-05-2022 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
Size

1.4MB
MD5

6ae1da8abe6ef9817a617acec71bab22
SHA1

aa61bd2997030f1798399708fc07eca23887d0fc
SHA256

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54
SHA512

fe6c6328d990f67b28ae7478d025fcb1e5a6c5f2a974dece4b5ab70a7b7106f720118ed2257cf39419221b29c4b53e34099402bca73846a18050d64f03a2e355

Score

10^/10

azorult oski raccoon 180d3985eb74eacf2de83c771fbf30a60f670ec0 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

levitt.ug

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1284-86-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

HjsdfvUJq.exePVBsjqrhd.exePVBsjqrhd.exeHjsdfvUJq.exe

pid process

1580 HjsdfvUJq.exe
1252 PVBsjqrhd.exe
2036 PVBsjqrhd.exe
1192 HjsdfvUJq.exe

pid	process
1580	HjsdfvUJq.exe
1252	PVBsjqrhd.exe
2036	PVBsjqrhd.exe
1192	HjsdfvUJq.exe

Loads dropped DLL 11 IoCs

Processes:

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exeHjsdfvUJq.exePVBsjqrhd.exeWerFault.exe

pid	process
860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
1580	HjsdfvUJq.exe
1252	PVBsjqrhd.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exePVBsjqrhd.exeHjsdfvUJq.exe

description	pid	process	target process
PID 860 set thread context of 1284	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
PID 1252 set thread context of 2036	1252	PVBsjqrhd.exe	PVBsjqrhd.exe
PID 1580 set thread context of 1192	1580	HjsdfvUJq.exe	HjsdfvUJq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 2036 WerFault.exe PVBsjqrhd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exePVBsjqrhd.exeHjsdfvUJq.exe

pid process

860 5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
1252 PVBsjqrhd.exe
1580 HjsdfvUJq.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exeHjsdfvUJq.exePVBsjqrhd.exe

pid process

860 5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
1580 HjsdfvUJq.exe
1252 PVBsjqrhd.exe

pid	pid_target	process	target process
1488	2036	WerFault.exe	PVBsjqrhd.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exePVBsjqrhd.exeHjsdfvUJq.exePVBsjqrhd.exe

description	pid	process	target process
PID 860 wrote to memory of 1580	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	HjsdfvUJq.exe
PID 860 wrote to memory of 1580	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	HjsdfvUJq.exe
PID 860 wrote to memory of 1580	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	HjsdfvUJq.exe
PID 860 wrote to memory of 1580	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	HjsdfvUJq.exe
PID 860 wrote to memory of 1252	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	PVBsjqrhd.exe
PID 860 wrote to memory of 1252	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	PVBsjqrhd.exe
PID 860 wrote to memory of 1252	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	PVBsjqrhd.exe
PID 860 wrote to memory of 1252	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	PVBsjqrhd.exe
PID 860 wrote to memory of 1284	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
PID 860 wrote to memory of 1284	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
PID 860 wrote to memory of 1284	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
PID 860 wrote to memory of 1284	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
PID 860 wrote to memory of 1284	860	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
PID 1252 wrote to memory of 2036	1252	PVBsjqrhd.exe	PVBsjqrhd.exe
PID 1252 wrote to memory of 2036	1252	PVBsjqrhd.exe	PVBsjqrhd.exe
PID 1252 wrote to memory of 2036	1252	PVBsjqrhd.exe	PVBsjqrhd.exe
PID 1252 wrote to memory of 2036	1252	PVBsjqrhd.exe	PVBsjqrhd.exe
PID 1580 wrote to memory of 1192	1580	HjsdfvUJq.exe	HjsdfvUJq.exe
PID 1580 wrote to memory of 1192	1580	HjsdfvUJq.exe	HjsdfvUJq.exe
PID 1580 wrote to memory of 1192	1580	HjsdfvUJq.exe	HjsdfvUJq.exe
PID 1252 wrote to memory of 2036	1252	PVBsjqrhd.exe	PVBsjqrhd.exe
PID 1580 wrote to memory of 1192	1580	HjsdfvUJq.exe	HjsdfvUJq.exe
PID 1580 wrote to memory of 1192	1580	HjsdfvUJq.exe	HjsdfvUJq.exe
PID 2036 wrote to memory of 1488	2036	PVBsjqrhd.exe	WerFault.exe
PID 2036 wrote to memory of 1488	2036	PVBsjqrhd.exe	WerFault.exe
PID 2036 wrote to memory of 1488	2036	PVBsjqrhd.exe	WerFault.exe
PID 2036 wrote to memory of 1488	2036	PVBsjqrhd.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
"C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
"C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580

C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
"C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe"
3⤵
- Executes dropped EXE
PID:1192

C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
"C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
"C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 632
4⤵
- Loads dropped DLL
- Program crash
PID:1488

C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
"C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe"
2⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
memory/860-56-0x00000000763C1000-0x00000000763C3000-memory.dmp

Filesize
8KB

Download
memory/860-77-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/1192-79-0x000000000041A684-mapping.dmp

Download
memory/1192-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1252-63-0x0000000000000000-mapping.dmp

Download
memory/1284-86-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1284-66-0x000000000043FA98-mapping.dmp

Download
memory/1488-87-0x0000000000000000-mapping.dmp

Download
memory/1580-59-0x0000000000000000-mapping.dmp

Download
memory/2036-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-78-0x0000000000417A8B-mapping.dmp

Download