azorult | 0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-09-2022 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
Size

1013KB
MD5

20b4ed91510de8b2766a7b27b643a007
SHA1

e52812e0a3a17a291f524bde23a7dea44339bbf3
SHA256

0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a
SHA512

bad5c56aeb9b57c7b4591f34f41a157fc60e5038eeef82aaaa297a267bfb6c69ad8d52a9b60142c502756f56829c8a44840c620e1191458135fbb5b319feed0f
SSDEEP

24576:/axyj3UlpY02W9pNydU50sTmJf2fU+NAmAOLm+t:/ac3UoW9OGxTmJ6emACm+

Score

10^/10

azorult oski raccoon 1cc7ea34e0c2ffcad2b614bf34887c32c8a79609 infostealer spyware stealer trojan

Malware Config

Extracted

Family

raccoon

Version

1.7.1-hotfix

Botnet

1cc7ea34e0c2ffcad2b614bf34887c32c8a79609

Attributes

url4cnc
https://telete.in/brikitiki

rc4.plain

Extracted

Family

oski

darkangel.ac.ug

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 1 IoCs

resource	yara_rule
behavioral1/memory/1320-84-0x0000000000400000-0x0000000000493000-memory.dmp	family_raccoon

Executes dropped EXE 4 IoCs

pid	Process
1724	HJsdfccdf.exe
1444	YTfghawe.exe
1144	YTfghawe.exe
1780	HJsdfccdf.exe

Loads dropped DLL 11 IoCs

pid	Process
1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
1444	YTfghawe.exe
1724	HJsdfccdf.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe
1156	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1964 set thread context of 1320	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	30
PID 1444 set thread context of 1144	1444	YTfghawe.exe	31
PID 1724 set thread context of 1780	1724	HJsdfccdf.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1156	1144	WerFault.exe	31

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
1444	YTfghawe.exe
1724	HJsdfccdf.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
1444	YTfghawe.exe
1724	HJsdfccdf.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1724	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	28
PID 1964 wrote to memory of 1724	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	28
PID 1964 wrote to memory of 1724	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	28
PID 1964 wrote to memory of 1724	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	28
PID 1964 wrote to memory of 1444	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	29
PID 1964 wrote to memory of 1444	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	29
PID 1964 wrote to memory of 1444	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	29
PID 1964 wrote to memory of 1444	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	29
PID 1964 wrote to memory of 1320	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	30
PID 1964 wrote to memory of 1320	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	30
PID 1964 wrote to memory of 1320	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	30
PID 1964 wrote to memory of 1320	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	30
PID 1964 wrote to memory of 1320	1964	0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe	30
PID 1444 wrote to memory of 1144	1444	YTfghawe.exe	31
PID 1444 wrote to memory of 1144	1444	YTfghawe.exe	31
PID 1444 wrote to memory of 1144	1444	YTfghawe.exe	31
PID 1444 wrote to memory of 1144	1444	YTfghawe.exe	31
PID 1444 wrote to memory of 1144	1444	YTfghawe.exe	31
PID 1724 wrote to memory of 1780	1724	HJsdfccdf.exe	33
PID 1724 wrote to memory of 1780	1724	HJsdfccdf.exe	33
PID 1724 wrote to memory of 1780	1724	HJsdfccdf.exe	33
PID 1724 wrote to memory of 1780	1724	HJsdfccdf.exe	33
PID 1724 wrote to memory of 1780	1724	HJsdfccdf.exe	33
PID 1144 wrote to memory of 1156	1144	YTfghawe.exe	37
PID 1144 wrote to memory of 1156	1144	YTfghawe.exe	37
PID 1144 wrote to memory of 1156	1144	YTfghawe.exe	37
PID 1144 wrote to memory of 1156	1144	YTfghawe.exe	37

C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
"C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
  "C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe
    "C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe"
    3⤵
    - Executes dropped EXE
    PID:1780
- C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
  "C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe
    "C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 848
      4⤵
      Loads dropped DLL
      Program crash
      PID:1156
- C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe
  "C:\Users\Admin\AppData\Local\Temp\0733d640a833a24e6c37c8085a6e22ba3245eee995c83edf79f20efa327d365a.exe"
  2⤵
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe

Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe

Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe

Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe

Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe

Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
\Users\Admin\AppData\Local\Temp\HJsdfccdf.exe

Filesize
213KB

MD5
a22b4c1514f696b13a2862aea769ba6a

SHA1
a554a8e63f5d05b880e416a9d0999d628d033f03

SHA256
fe2a8feb0ecd163115d28be80cf4212321de4bd03c7f88e611fbdf8a6551ba2f

SHA512
fd4fb44e03f0239abb30ca50fbb63db250c28d52a68f108ce5b7e95d1bbf6c84cd07229e3fa3b568ca6a805f6d19ba591b98b12c72aeac59893d826a029bdc60

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
\Users\Admin\AppData\Local\Temp\YTfghawe.exe

Filesize
261KB

MD5
ba2af377d1a970e8e083e4c4cec745e2

SHA1
a3d2ca408a97ddca60f581cba48d3f5e74a4fb17

SHA256
f58f96fb0e09e7ddc4a37caa32783b675222b4b97cd08008eaa8538bacc8d035

SHA512
eb854f2ee870162f39cd1678e2f88cd99dadf0e281237a66a14be6b75be489593236d6aabfa69df76b1a31a5cf1e4ef77a913e06bdd022fc957c850d26a65e06

Download Submit
memory/1144-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-84-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1780-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1780-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1964-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1964-70-0x00000000026E0000-0x00000000026E7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads