azorult | 5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54

General

Target

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
Size

1.4MB
MD5

6ae1da8abe6ef9817a617acec71bab22
SHA1

aa61bd2997030f1798399708fc07eca23887d0fc
SHA256

5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54
SHA512

fe6c6328d990f67b28ae7478d025fcb1e5a6c5f2a974dece4b5ab70a7b7106f720118ed2257cf39419221b29c4b53e34099402bca73846a18050d64f03a2e355

Score

10^/10

azorult oski raccoon 180d3985eb74eacf2de83c771fbf30a60f670ec0 infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

levitt.ug

Extracted

Family

raccoon

Botnet

180d3985eb74eacf2de83c771fbf30a60f670ec0

Attributes

url4cnc
https://telete.in/jrikitiki

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2524-150-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

pid	Process
3592	HjsdfvUJq.exe
3144	PVBsjqrhd.exe
1316	HjsdfvUJq.exe
1028	PVBsjqrhd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3592 set thread context of 1316	3592	HjsdfvUJq.exe	80
PID 3932 set thread context of 2524	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	81
PID 3144 set thread context of 1028	3144	PVBsjqrhd.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3360	1028	WerFault.exe	83

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3592	HjsdfvUJq.exe
3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
3144	PVBsjqrhd.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
3592	HjsdfvUJq.exe
3144	PVBsjqrhd.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 3592	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	79
PID 3932 wrote to memory of 3592	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	79
PID 3932 wrote to memory of 3592	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	79
PID 3932 wrote to memory of 3144	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	82
PID 3932 wrote to memory of 3144	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	82
PID 3932 wrote to memory of 3144	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	82
PID 3592 wrote to memory of 1316	3592	HjsdfvUJq.exe	80
PID 3592 wrote to memory of 1316	3592	HjsdfvUJq.exe	80
PID 3592 wrote to memory of 1316	3592	HjsdfvUJq.exe	80
PID 3932 wrote to memory of 2524	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	81
PID 3932 wrote to memory of 2524	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	81
PID 3932 wrote to memory of 2524	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	81
PID 3592 wrote to memory of 1316	3592	HjsdfvUJq.exe	80
PID 3932 wrote to memory of 2524	3932	5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe	81
PID 3144 wrote to memory of 1028	3144	PVBsjqrhd.exe	83
PID 3144 wrote to memory of 1028	3144	PVBsjqrhd.exe	83
PID 3144 wrote to memory of 1028	3144	PVBsjqrhd.exe	83
PID 3144 wrote to memory of 1028	3144	PVBsjqrhd.exe	83

C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
"C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
  "C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe
    "C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe"
    3⤵
    - Executes dropped EXE
    PID:1316
- C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe
  "C:\Users\Admin\AppData\Local\Temp\5cd5861ce0c007ee7d09a79df1a93424ee1f4c2ed503b140e60ac22f6e5ece54.exe"
  2⤵
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
  "C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe
    "C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe"
    3⤵
    - Executes dropped EXE
    PID:1028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1304
      4⤵
      Program crash
      PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1028 -ip 1028
1⤵
PID:3244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe

Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe

Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HjsdfvUJq.exe

Filesize
436KB

MD5
c23be449bcf691fd13acb7cb189810b6

SHA1
23061d43f2f88bd2dd4156c9a5565886ab849254

SHA256
149666943b87827efdf3cd86953e1a4734543df408afc937ac31f96b6ebf9788

SHA512
8938ad5fae55a929edc5a1f502aa1b6a7b936058d392950a32a39885cd48f30b39adf755fd20b9df7035a9cddf5c0f1a1140cb1d19b3a15f2d19eebc7111a82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe

Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe

Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVBsjqrhd.exe

Filesize
480KB

MD5
b1826c325261eb4f435f3f1148576a23

SHA1
2d475fc66a06d299782f72fd82b0823c23bc72b1

SHA256
1e433ad9b3a8bb067865903abd9ccac597ad73352c2f18d6d55fbf83ba0a8da2

SHA512
0e95f2a6f61ea6b7388453643e005a832ddaa2bb77a12b3787f122008720b917be551acab8cd504908ae7615e9adb95e599c500163b20be82db6b06a07717071

Download Submit
memory/1028-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2524-150-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3592-145-0x0000000000730000-0x0000000000736000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads