azorult | 43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112

General

Target

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
Size

1.6MB
MD5

c8bee82b1d76257b8977b3f373827100
SHA1

60535191909cefb0932e1ab71c42a05ecff3f84f
SHA256

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112
SHA512

bd3e786a9728fe145ca6bfba5802473be1a5c60f2691d48e39c8d4f33023f06c154ada1778cc495d4d292c28dcc908eb9114239ccfc39c2573d7d53a8b43f0be

Score

10^/10

azorult oski raccoon e5a98a0423e8a05c07c85512b1c0eb7a8fff35a1 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Botnet

e5a98a0423e8a05c07c85512b1c0eb7a8fff35a1

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

oski

C2

pabloq.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3972-138-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/3972-139-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/3972-140-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon
behavioral2/memory/3972-145-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

Processes:

Lime_az.exeLime_az.exeLime_os.exeLime_os.exe

pid process

4328 Lime_az.exe
4904 Lime_az.exe
3808 Lime_os.exe
1996 Lime_os.exe

pid	process
4328	Lime_az.exe
4904	Lime_az.exe
3808	Lime_os.exe
1996	Lime_os.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exeWScript.exeLime_az.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Lime_az.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

Processes:

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exeLime_az.exeLime_os.exe

description	pid	process	target process
PID 2964 set thread context of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 4328 set thread context of 4904	4328	Lime_az.exe	Lime_az.exe
PID 3808 set thread context of 1996	3808	Lime_os.exe	Lime_os.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2000 1996 WerFault.exe Lime_os.exe

pid	pid_target	process	target process
2000	1996	WerFault.exe	Lime_os.exe

Modifies registry class 2 IoCs

Processes:

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exeLime_az.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	Lime_az.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exeLime_az.exeLime_os.exe

pid	process
2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
4328	Lime_az.exe
4328	Lime_az.exe
3808	Lime_os.exe
3808	Lime_os.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exeLime_az.exeLime_os.exe

description	pid	process
Token: SeDebugPrivilege	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
Token: SeDebugPrivilege	4328	Lime_az.exe
Token: SeDebugPrivilege	3808	Lime_os.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exeWScript.exeLime_az.exeWScript.exeLime_os.exe

description	pid	process	target process
PID 2964 wrote to memory of 868	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	WScript.exe
PID 2964 wrote to memory of 868	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	WScript.exe
PID 2964 wrote to memory of 868	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	WScript.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 2964 wrote to memory of 3972	2964	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe	43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
PID 868 wrote to memory of 4328	868	WScript.exe	Lime_az.exe
PID 868 wrote to memory of 4328	868	WScript.exe	Lime_az.exe
PID 868 wrote to memory of 4328	868	WScript.exe	Lime_az.exe
PID 4328 wrote to memory of 1488	4328	Lime_az.exe	WScript.exe
PID 4328 wrote to memory of 1488	4328	Lime_az.exe	WScript.exe
PID 4328 wrote to memory of 1488	4328	Lime_az.exe	WScript.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 4328 wrote to memory of 4904	4328	Lime_az.exe	Lime_az.exe
PID 1488 wrote to memory of 3808	1488	WScript.exe	Lime_os.exe
PID 1488 wrote to memory of 3808	1488	WScript.exe	Lime_os.exe
PID 1488 wrote to memory of 3808	1488	WScript.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe
PID 3808 wrote to memory of 1996	3808	Lime_os.exe	Lime_os.exe

C:\Users\Admin\AppData\Local\Temp\43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
"C:\Users\Admin\AppData\Local\Temp\43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ohwrvu.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\Lime_az.exe
"C:\Users\Admin\AppData\Local\Temp\Lime_az.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ckrbrl.vbs"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Local\Temp\Lime_os.exe
"C:\Users\Admin\AppData\Local\Temp\Lime_os.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\Lime_os.exe
"C:\Users\Admin\AppData\Local\Temp\Lime_os.exe"
6⤵
- Executes dropped EXE
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 1284
7⤵
- Program crash
PID:2000

C:\Users\Admin\AppData\Local\Temp\Lime_az.exe
"C:\Users\Admin\AppData\Local\Temp\Lime_az.exe"
4⤵
- Executes dropped EXE
PID:4904

C:\Users\Admin\AppData\Local\Temp\43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe
"C:\Users\Admin\AppData\Local\Temp\43289193e35ad500026942fe9da85b24142625f3dba0e26b88f646bde55a0112.exe"
2⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1996 -ip 1996
1⤵
PID:3860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ckrbrl.vbs
Filesize
95B

MD5
3550c103bad5b787e0ffeae513b57daa

SHA1
dcb236be3035555c6fcb077aa82f583c2559c46b

SHA256
b2218f291548cbcfceb39563f47384e83a647f0e2eda8ad1f7c2c4909817008e

SHA512
e02641998aca9b90caf29f3f357c6eeb77dc6831e029fe434b0e68c9aaa58775123496af0e6964d5139014fbeba3c0ca5c778e9ef1b01c5901019c8edc56d6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lime_az.exe
Filesize
1022KB

MD5
0c9dbc9a459190bdbbea8740d1a7c003

SHA1
7f94768946e359d5f5f5dabfa6c3e23d0aca05c4

SHA256
794a69405d4e0f876bed7975a4969cae18a49eb1faa18065642f1ff348b53ad7

SHA512
667452032bd9fdc6b872efaf5149ac379ca0f42d9fbf13e69f3e0817f22906b820e1f6ca65f61c1b882de17f40791f1f54fbb2435c0281a0fd0b84685e59e8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lime_az.exe
Filesize
1022KB

MD5
0c9dbc9a459190bdbbea8740d1a7c003

SHA1
7f94768946e359d5f5f5dabfa6c3e23d0aca05c4

SHA256
794a69405d4e0f876bed7975a4969cae18a49eb1faa18065642f1ff348b53ad7

SHA512
667452032bd9fdc6b872efaf5149ac379ca0f42d9fbf13e69f3e0817f22906b820e1f6ca65f61c1b882de17f40791f1f54fbb2435c0281a0fd0b84685e59e8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lime_az.exe
Filesize
1022KB

MD5
0c9dbc9a459190bdbbea8740d1a7c003

SHA1
7f94768946e359d5f5f5dabfa6c3e23d0aca05c4

SHA256
794a69405d4e0f876bed7975a4969cae18a49eb1faa18065642f1ff348b53ad7

SHA512
667452032bd9fdc6b872efaf5149ac379ca0f42d9fbf13e69f3e0817f22906b820e1f6ca65f61c1b882de17f40791f1f54fbb2435c0281a0fd0b84685e59e8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lime_os.exe
Filesize
614KB

MD5
49e8a4630cef01ce6e9044c79f0b4df9

SHA1
3cef9a06f4a19be528626f0a7d98c94950ced9db

SHA256
9157e16a62ae374fa6fb6dbdf3fe844dca6a410ec774bd28e6945d39cdde45bb

SHA512
a5bc871334e6db8c893078281a15e52421c55d2916efd323aa46142e23b13f0632a4a0ec8132ed43db5b61ce47bb5925e42b024881f6a5f6667d8db08dbce6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lime_os.exe
Filesize
614KB

MD5
49e8a4630cef01ce6e9044c79f0b4df9

SHA1
3cef9a06f4a19be528626f0a7d98c94950ced9db

SHA256
9157e16a62ae374fa6fb6dbdf3fe844dca6a410ec774bd28e6945d39cdde45bb

SHA512
a5bc871334e6db8c893078281a15e52421c55d2916efd323aa46142e23b13f0632a4a0ec8132ed43db5b61ce47bb5925e42b024881f6a5f6667d8db08dbce6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lime_os.exe
Filesize
614KB

MD5
49e8a4630cef01ce6e9044c79f0b4df9

SHA1
3cef9a06f4a19be528626f0a7d98c94950ced9db

SHA256
9157e16a62ae374fa6fb6dbdf3fe844dca6a410ec774bd28e6945d39cdde45bb

SHA512
a5bc871334e6db8c893078281a15e52421c55d2916efd323aa46142e23b13f0632a4a0ec8132ed43db5b61ce47bb5925e42b024881f6a5f6667d8db08dbce6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ohwrvu.vbs
Filesize
95B

MD5
c7424fe30a1afff4d1bb201834feabfd

SHA1
7cc755d4d900645df7ed19d1da87fb4048e647af

SHA256
9b6b55e7ce08eb22cf38a86953897b49559c43752f398d90038771a6d006080b

SHA512
51fcdb3932f13daabff50bdb5a20d6aa0a18057cc296cfe80ff3e468403f8690dfc2b454265beba0126cf6f08cc2961161405d33e0f7c3159754f0ae0865632c

Download Submit
memory/868-135-0x0000000000000000-mapping.dmp

Download
memory/1488-146-0x0000000000000000-mapping.dmp

Download
memory/1996-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-159-0x0000000000000000-mapping.dmp

Download
memory/1996-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-131-0x0000000000360000-0x000000000050A000-memory.dmp

Filesize
1.7MB

Download
memory/2964-134-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/2964-133-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/2964-132-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/3808-155-0x0000000000000000-mapping.dmp

Download
memory/3808-157-0x00000000005D0000-0x0000000000670000-memory.dmp

Filesize
640KB

Download
memory/3972-139-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3972-145-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3972-140-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3972-138-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/3972-137-0x0000000000000000-mapping.dmp

Download
memory/4328-144-0x0000000000660000-0x0000000000766000-memory.dmp

Filesize
1.0MB

Download
memory/4328-142-0x0000000000000000-mapping.dmp

Download
memory/4904-154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4904-152-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4904-148-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4904-158-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4904-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads